
<!DOCTYPE html>
<html lang="" class="loading">
<head>
    <meta charset="UTF-8" />
    <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1" />
    <meta name="viewport" content="width=device-width, minimum-scale=1.0, maximum-scale=1.0, user-scalable=no">
    <title>BUU_wp - L3SLIE</title>
    <meta name="apple-mobile-web-app-capable" content="yes" />
    <meta name="apple-mobile-web-app-status-bar-style" content="black-translucent">
    <meta name="google" content="notranslate" />
    <meta name="keywords" content="L3SLIE,"> 
    <meta name="description" content="Welcome &amp; suit yourself,今天开始刷buu计划，更新中···
DAY  1
crypto
传统知识+古典密码​        题目描述：
小明某一天收到一封密信，信中写了几个不同的年份
          辛卯，癸巳，丙戌，,"> 
    <meta name="author" content="L3SLIE"> 
    <link rel="alternative" href="atom.xml" title="L3SLIE" type="application/atom+xml"> 
    <link rel="icon" href="/img/favicon.png"> 
    <link href="https://fonts.loli.net/css?family=Roboto+Mono|Rubik&display=swap" rel="stylesheet">
    
<link rel="stylesheet" href="//at.alicdn.com/t/font_1429596_nzgqgvnmkjb.css">

    
<link rel="stylesheet" href="//cdn.bootcss.com/animate.css/3.7.2/animate.min.css">

    
<link rel="stylesheet" href="//cdnjs.cloudflare.com/ajax/libs/social-share.js/1.0.16/css/share.min.css">

    
<link rel="stylesheet" href="//cdn.bootcss.com/codemirror/5.48.4/codemirror.min.css">

    
<link rel="stylesheet" href="//cdn.bootcss.com/codemirror/5.48.4/theme/dracula.css">

    
<link rel="stylesheet" href="/css/obsidian.css">

    
<link rel="stylesheet" href="/css/ball-atom.min.css">

<meta name="generator" content="Hexo 4.2.0"></head>


<body class="loading">
    <div class="loader">
        <div class="la-ball-atom la-2x">
            <div></div>
            <div></div>
            <div></div>
            <div></div>
        </div>
    </div>
    <span id="config-title" style="display:none">L3SLIE</span>
    <div id="loader"></div>
    <div id="single">
    <div class="scrollbar gradient-bg-rev"></div>
<div id="top" style="display: block;">
    <div class="bar" style="width: 0;"></div>
    <div class="navigation animated fadeIn fast delay-1s">
        <img id="home-icon" class="icon-home" src="/img/favicon.png" alt="" data-url="http://l3slie.gitee.io">
        <div id="play-icon" title="Play/Pause" class="iconfont icon-play"></div>
        <h3 class="subtitle">BUU_wp</h3>
        <div class="social">
            <!--        <div class="like-icon">-->
            <!--            <a href="javascript:;" class="likeThis active"><span class="icon-like"></span><span class="count">76</span></a>-->
            <!--        </div>-->
            <div>
                <div class="share">
                    
                        <a href="javascript:;" class="iconfont icon-share1"></a>
                        <div class="share-component-cc" data-disabled="facebook,douban,linkedin,diandian,tencent,google"></div>
                    
                </div>
            </div>
        </div>
    </div>
</div>

    <div class="section">
        <div class=article-header-wrapper>
    <div class="article-header">
        <div class="article-cover animated fadeIn" style="
            animation-delay: 600ms;
            animation-duration: 1.2s;
            background-image: 
                radial-gradient(ellipse closest-side, rgba(0, 0, 0, 0.65), #100e17),
                url(/img/cover1.jpg) ">
        </div>
        <div class="else">
            <p class="animated fadeInDown">
                
                <a href="/categories/XJUSEC"><b>「
                    </b>XJUSEC<b> 」</b></a>
                
                March 14, 2020
            </p>
            <h3 class="post-title animated fadeInDown"><a href="/2020/03/14/BUU-wp/" title="BUU_wp" class="">BUU_wp</a>
            </h3>
            
            <p class="post-count animated fadeInDown">
                
                <span>
                    <b class="iconfont icon-text2"></b> <i>Words count</i>
                    76k
                </span>
                
                
                <span>
                    <b class="iconfont icon-timer__s"></b> <i>Reading time</i>
                    1:09
                </span>
                
                
                <span id="/2020/03/14/BUU-wp/" class="leancloud_visitors" data-flag-title="BUU_wp">
                    <b class="iconfont icon-read"></b> <i>Read count</i>
                    <span class="leancloud-visitors-count">100000</span>
                </span>
                
                
            </p>
            
            
            <ul class="animated fadeInDown post-tags-list" itemprop="keywords"><li class="animated fadeInDown post-tags-list-item"><a class="animated fadeInDown post-tags-list-link" href="/tags/CTF/" rel="tag">CTF</a></li><li class="animated fadeInDown post-tags-list-item"><a class="animated fadeInDown post-tags-list-link" href="/tags/WP/" rel="tag">WP</a></li></ul>
            
        </div>
    </div>
</div>

<div class="screen-gradient-after">
    <div class="screen-gradient-content">
        <div class="screen-gradient-content-inside">
            <div class="bold-underline-links screen-gradient-sponsor">
                <p>
                    <span class="animated fadeIn delay-1s"></span>
                </p>
            </div>
        </div>
    </div>
</div>

<div class="article">
    <div class='main'>
        <div class="content markdown animated fadeIn">
            <p>今天开始刷buu计划，更新中···</p>
<h1 id="DAY-1"><a href="#DAY-1" class="headerlink" title="DAY  1"></a>DAY  1</h1><hr>
<h2 id="crypto"><a href="#crypto" class="headerlink" title="crypto"></a>crypto</h2><hr>
<h3 id="传统知识-古典密码"><a href="#传统知识-古典密码" class="headerlink" title="传统知识+古典密码"></a>传统知识+古典密码</h3><p>​        题目描述：</p>
<pre><code class="txt">小明某一天收到一封密信，信中写了几个不同的年份
          辛卯，癸巳，丙戌，辛未，庚辰，癸酉，己卯，癸巳。
          信的背面还写有“+甲子”，请解出这段密文。

key值：CTF{XXX}</code></pre>
<p>知识点：</p>
<p>六十甲子</p>
<p>甲、乙、丙、丁、戊、己、庚、辛、壬、癸被称为“十天干”，子、丑、寅、卯、辰、巳、午、未、申、酉、戌、亥叫作“十二地支”。</p>
<p>天干地支表</p>
<p><img src="http://gonglve.baidu.com/gonglve/api/getcontent?doc_id=65ba715e647d27284b7351a2&type=pic&src=1_7_642_790.jpg" alt="img"></p>
<p>映射数字</p>
<p>28 30 23 8 17 10 16 30  </p>
<p>+甲子（题目的意思应该是一个周期，+60，对应到ASCII码）</p>
<p>88 90 83 68 77 70 76 90</p>
<p>X Z S D M F L Z</p>
<p>古典密码 凯撒+栅栏</p>
<p>解出flag </p>
<p>SHUANGYU  #看起来是拼音其他的都没有逻辑</p>
<hr>
<h3 id="Windows系统密码"><a href="#Windows系统密码" class="headerlink" title="Windows系统密码"></a>Windows系统密码</h3><p>直接查MD5就行了</p>
<pre><code class="txt">Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
ctf:1002:06af9108f2e1fecf144e2e8adef09efd:a7fcb22a88038f35a8f39d503e7f0062:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SUPPORT_388945a0:1001:aad3b435b51404eeaad3b435b51404ee:bef14eee40dffbc345eeb3f58e290d56:::</code></pre>
<p>有几个空密码，几个都试试</p>
<p>flag为<code>a7fcb22a88038f35a8f39d503e7f0062</code>这串的MD5解密。</p>
<hr>
<h3 id="RSA1"><a href="#RSA1" class="headerlink" title="RSA1"></a>RSA1</h3><p>题目描述：</p>
<pre><code class="txt">p = 8637633767257008567099653486541091171320491509433615447539162437911244175885667806398411790524083553445158113502227745206205327690939504032994699902053229 
q = 12640674973996472769176047937170883420927050821480010581593137135372473880595613737337630629752577346147039284030082593490776630572584959954205336880228469 
dp = 6500795702216834621109042351193261530650043841056252930930949663358625016881832840728066026150264693076109354874099841380454881716097778307268116910582929 
dq = 783472263673553449019532580386470672380574033551303889137911760438881683674556098098256795673512201963002175438762767516968043599582527539160811120550041 
c = 24722305403887382073567316467649080662631552905960229399079107995602154418176056335800638887527614164073530437657085079676157350205351945222989351316076486573599576041978339872265925062764318536089007310270278526159678937431903862892400747915525118983959970607934142974736675784325993445942031372107342103852</code></pre>
<p>已知p,q,c,dp,dq</p>
<pre><code class="python">ed ≡ 1 (mod φ(n))

φ (n) ≡ (p-1) * (q-1)

dp ≡ d mod (p-1)

dq ≡ d mod (q-1)</code></pre>
<p>贴一个中国剩余定理和RSA加密的文章</p>
<p>原文链接：<a href="https://blog.csdn.net/mrpre/article/details/79671263" target="_blank" rel="noopener">https://blog.csdn.net/mrpre/article/details/79671263</a></p>
<p>使用公钥加密和使用私钥解密流程（中国剩余定理）：<br>准备<br>首先，我们需要在在生成私钥公钥时，多生成几个数：<br>我们的d是e对phi(n)的逆元，我们现在需要另外2个逆元（分别是对(p-1)和(q-1)的），既<br>1：计算dp，使得<code>dp*e = 1 mod(p-1)</code><br>2：计算dq，使得<code>dq*e = 1 mod(q-1)</code><br>此外需要第三个元素，既q对p的逆元<br>3：计算<code>qInv</code>，使得<code>qInv * q = 1 mod p</code><br>1 2 3 都作为私钥的一部分。</p>
<p>计算<br>使用公钥加密：<br>若要加密明文m,则需要计算c = m^e mod n，c为密文。</p>
<p>私钥解密</p>
<p>1:<code>mp=c^dp mod p</code><br>2:<code>mq=c^dq mod q</code><br>3:<code>h= (qInv*((mp - mq)mod p)) mod p</code><br>4:<code>m = mq + h*q</code><br>m就是明文。</p>
<p>知道了解密步骤就可以写脚本了</p>
<pre><code class="python">import gmpy2
import libnum
def decrypt(dp,dq,p,q,c):
    qInv = gmpy2.invert(q, p)
    mp = pow(c, dp, p)
    mq = pow(c, dq, q)
    h = ((mp-mq)*qInv) % p
    m = (((mp-mq)*qInv) % p)*q+mq
    print (libnum.n2s(m))

p = 8637633767257008567099653486541091171320491509433615447539162437911244175885667806398411790524083553445158113502227745206205327690939504032994699902053229 
q = 12640674973996472769176047937170883420927050821480010581593137135372473880595613737337630629752577346147039284030082593490776630572584959954205336880228469 
dp = 6500795702216834621109042351193261530650043841056252930930949663358625016881832840728066026150264693076109354874099841380454881716097778307268116910582929 
dq = 783472263673553449019532580386470672380574033551303889137911760438881683674556098098256795673512201963002175438762767516968043599582527539160811120550041 
c = 24722305403887382073567316467649080662631552905960229399079107995602154418176056335800638887527614164073530437657085079676157350205351945222989351316076486573599576041978339872265925062764318536089007310270278526159678937431903862892400747915525118983959970607934142974736675784325993445942031372107342103852
decrypt(dp,dq,p,q,c)
#noxCTF{W31c0m3_70_Ch1n470wn}</code></pre>
<p>中国剩余定理在RSA中有很多变形，做的多了会写一篇总结；</p>
<p>//四素数RSA算法</p>
<hr>
<h3 id="RSA2"><a href="#RSA2" class="headerlink" title="RSA2"></a>RSA2</h3><p>题目描述</p>
<pre><code class="txt">e = 65537
n = 248254007851526241177721526698901802985832766176221609612258877371620580060433101538328030305219918697643619814200930679612109885533801335348445023751670478437073055544724280684733298051599167660303645183146161497485358633681492129668802402065797789905550489547645118787266601929429724133167768465309665906113
dp = 905074498052346904643025132879518330691925174573054004621877253318682675055421970943552016695528560364834446303196939207056642927148093290374440210503657

c = 140423670976252696807533673586209400575664282100684119784203527124521188996403826597436883766041879067494280957410201958935737360380801845453829293997433414188838725751796261702622028587211560353362847191060306578510511380965162133472698713063592621028959167072781482562673683090590521214218071160287665180751</code></pre>
<p>应该也是中国剩余定理，但是dq不知道，但是给出了n，所以可以利用n来求dp</p>
<p>dp ≡ d mod φ(p) </p>
<p>e × dp ≡ ed mod φ(p)<br>ed = kφ(p) + edp<br>ed = (kφ(p)+edp) ≡ 1 mod φ(n)<br>kφ(p) + edp = k′(p−1)(q−1) + 1<br>移项得<br>(p−1)(k′(q−1)−k) + 1 = edp<br>∵dp&lt;(p−1)<br>∴e=65537&gt;(k′(q−1)−k)=x<br>然后枚举x就可以计算得出p−1<br>根据n可以算出所有的值</p>
<pre><code class="python">import gmpy2 as gp
import libnum
e = 65537
n = gp.mpz(248254007851526241177721526698901802985832766176221609612258877371620580060433101538328030305219918697643619814200930679612109885533801335348445023751670478437073055544724280684733298051599167660303645183146161497485358633681492129668802402065797789905550489547645118787266601929429724133167768465309665906113)
dp = gp.mpz(905074498052346904643025132879518330691925174573054004621877253318682675055421970943552016695528560364834446303196939207056642927148093290374440210503657)

c = gp.mpz(140423670976252696807533673586209400575664282100684119784203527124521188996403826597436883766041879067494280957410201958935737360380801845453829293997433414188838725751796261702622028587211560353362847191060306578510511380965162133472698713063592621028959167072781482562673683090590521214218071160287665180751)

for x in range(1, e):
    if(e*dp%x==1):
        p=(e*dp-1)//x+1
        if(n%p!=0):
            continue
        q=n//p
        phin=(p-1)*(q-1)
        d=gp.invert(e, phin)
        m=gp.powmod(c, d, n)
        if(len(hex(m)[2:])%2==1):
            continue
        print(&#39;--------------&#39;)
        print(m)
        print(libnum.n2s(m))
</code></pre>
<p>转str就是flag啦</p>
<hr>
<h3 id="RSA3"><a href="#RSA3" class="headerlink" title="RSA3"></a>RSA3</h3><p>题目描述</p>
<pre><code class="txt">c1=22322035275663237041646893770451933509324701913484303338076210603542612758956262869640822486470121149424485571361007421293675516338822195280313794991136048140918842471219840263536338886250492682739436410013436651161720725855484866690084788721349555662019879081501113222996123305533009325964377798892703161521852805956811219563883312896330156298621674684353919547558127920925706842808914762199011054955816534977675267395009575347820387073483928425066536361482774892370969520740304287456555508933372782327506569010772537497541764311429052216291198932092617792645253901478910801592878203564861118912045464959832566051361
n=22708078815885011462462049064339185898712439277226831073457888403129378547350292420267016551819052430779004755846649044001024141485283286483130702616057274698473611149508798869706347501931583117632710700787228016480127677393649929530416598686027354216422565934459015161927613607902831542857977859612596282353679327773303727004407262197231586324599181983572622404590354084541788062262164510140605868122410388090174420147752408554129789760902300898046273909007852818474030770699647647363015102118956737673941354217692696044969695308506436573142565573487583507037356944848039864382339216266670673567488871508925311154801
e1=11187289
c2=18702010045187015556548691642394982835669262147230212731309938675226458555210425972429418449273410535387985931036711854265623905066805665751803269106880746769003478900791099590239513925449748814075904017471585572848473556490565450062664706449128415834787961947266259789785962922238701134079720414228414066193071495304612341052987455615930023536823801499269773357186087452747500840640419365011554421183037505653461286732740983702740822671148045619497667184586123657285604061875653909567822328914065337797733444640351518775487649819978262363617265797982843179630888729407238496650987720428708217115257989007867331698397
e2=9647291</code></pre>
<p>有一个公共模数N，和两个密文两个加密指数，共模攻击</p>
<pre><code class="python">import gmpy2 as gp

def exgcd(a, b):
    if b==0:
        return 1, 0, a
    x2, y2, r = exgcd(b, a%b)
    x1 = y2
    y1 = x2-(a//b)*y2
    return x1, y1, r

c1=gp.mpz(22322035275663237041646893770451933509324701913484303338076210603542612758956262869640822486470121149424485571361007421293675516338822195280313794991136048140918842471219840263536338886250492682739436410013436651161720725855484866690084788721349555662019879081501113222996123305533009325964377798892703161521852805956811219563883312896330156298621674684353919547558127920925706842808914762199011054955816534977675267395009575347820387073483928425066536361482774892370969520740304287456555508933372782327506569010772537497541764311429052216291198932092617792645253901478910801592878203564861118912045464959832566051361)
n=gp.mpz(22708078815885011462462049064339185898712439277226831073457888403129378547350292420267016551819052430779004755846649044001024141485283286483130702616057274698473611149508798869706347501931583117632710700787228016480127677393649929530416598686027354216422565934459015161927613607902831542857977859612596282353679327773303727004407262197231586324599181983572622404590354084541788062262164510140605868122410388090174420147752408554129789760902300898046273909007852818474030770699647647363015102118956737673941354217692696044969695308506436573142565573487583507037356944848039864382339216266670673567488871508925311154801)
e1=gp.mpz(11187289)
c2=gp.mpz(18702010045187015556548691642394982835669262147230212731309938675226458555210425972429418449273410535387985931036711854265623905066805665751803269106880746769003478900791099590239513925449748814075904017471585572848473556490565450062664706449128415834787961947266259789785962922238701134079720414228414066193071495304612341052987455615930023536823801499269773357186087452747500840640419365011554421183037505653461286732740983702740822671148045619497667184586123657285604061875653909567822328914065337797733444640351518775487649819978262363617265797982843179630888729407238496650987720428708217115257989007867331698397)
e2=gp.mpz(9647291)

r1, r2, t = exgcd(e1, e2)
m = gp.powmod(c1, r1, n) * gp.powmod(c2, r2, n) % n
# print(m)
# print(hex(m)[2:])
print(bytes.fromhex(str(hex(m)[2:])))</code></pre>
<hr>
<h3 id="信息化时代的步伐"><a href="#信息化时代的步伐" class="headerlink" title="信息化时代的步伐"></a>信息化时代的步伐</h3><p>科普题，考察中文电码</p>
<pre><code class="txt">606046152623600817831216121621196386</code></pre>
<p>在这个<a href="http://code.mcdvisa.com/" target="_blank" rel="noopener">网站</a>查询这串电码</p>
<pre><code class="txt">中文电码反查汉字结果：
6060：计
4615：算
2623：机
6008：要
1783：从
1216：娃
1216：娃
2119：抓
6386：起</code></pre>
<hr>
<h3 id="old-fashion"><a href="#old-fashion" class="headerlink" title="old-fashion"></a>old-fashion</h3><pre><code class="txt">Os drnuzearyuwn, y jtkjzoztzoes douwlr oj y ilzwex eq lsdexosa kn pwodw tsozj eq ufyoszlbz yrl rlufydlx pozw douwlrzlbz, ydderxosa ze y rlatfyr jnjzli; mjy gfbmw vla xy wbfnsy symmyew (mjy vrwm qrvvrf), hlbew rd symmyew, mebhsymw rd symmyew, vbomgeyw rd mjy lxrzy, lfk wr dremj. Mjy eyqybzye kyqbhjyew mjy myom xa hyedrevbfn lf bfzyewy wgxwmbmgmbrf. Wr mjy dsln bw f1_2jyf-k3_jg1-vb-vl_l</code></pre>
<p>观察最后一串<code>dsln bw f1_2jyf-k3_jg1-vb-vl_l</code>，感觉像是flag，查替换密码</p>
<pre><code class="txt">?l fog?vryoe?sg, e h?dhv?v?v?rl f??sao ?h e ?avsrb rc alfrb?ly dg ?s?fs ?l?vh rc ?ne?lvaiv eoa oa?nefab ??vs f??saovaiv, effrob?ly vr e oay?neo hghva?; the units may be single letters (the most common), pairs of letters, triplets of letters, mi?tures of the above, and so forth. The receiver deciphers the te?t by performing an inverse substitution. So the flag is n1_2hen-d3_hu1-mi-ma_a</code></pre>
<p>查出来好多···，试了一圈上面的才是对的</p>
<hr>
<h3 id="萌萌哒八戒"><a href="#萌萌哒八戒" class="headerlink" title="萌萌哒八戒"></a>萌萌哒八戒</h3><p>猪圈密码</p>
<p><img src="https://img-blog.csdnimg.cn/20200215174731421.jpg" alt="对照"></p>
<p><img src="https://img-blog.csdnimg.cn/20200215174603697.jpg" alt="题目"></p>
<p>whenthepigwanttoeat</p>
<hr>
<h2 id="reverse"><a href="#reverse" class="headerlink" title="reverse"></a>reverse</h2><h3 id="SimpleRev"><a href="#SimpleRev" class="headerlink" title="SimpleRev"></a>SimpleRev</h3><p>找到关键函数</p>
<pre><code class="c">unsigned __int64 Decry()
{
  char v1; // [rsp+Fh] [rbp-51h]
  int v2; // [rsp+10h] [rbp-50h]
  int v3; // [rsp+14h] [rbp-4Ch]
  int i; // [rsp+18h] [rbp-48h]
  int v5; // [rsp+1Ch] [rbp-44h]
  char src[8]; // [rsp+20h] [rbp-40h]
  __int64 v7; // [rsp+28h] [rbp-38h]
  int v8; // [rsp+30h] [rbp-30h]
  __int64 v9; // [rsp+40h] [rbp-20h]
  __int64 v10; // [rsp+48h] [rbp-18h]
  int v11; // [rsp+50h] [rbp-10h]
  unsigned __int64 v12; // [rsp+58h] [rbp-8h]

  v12 = __readfsqword(0x28u);
  *(_QWORD *)src = &#39;SLCDN&#39;;                     // NDCLS
  v7 = 0LL;
  v8 = 0;
  v9 = &#39;wodah&#39;;                                 // hadow
  v10 = 0LL;
  v11 = 0;
  text = (char *)join(key3, &amp;v9);               // text=killshadow
  strcpy(key, key1);                            // ADSFK
  strcat(key, src);                             // key=ADSFKNDCLS
  v2 = 0;
  v3 = 0;
  getchar();
  v5 = strlen(key);                             // v5=10
  for ( i = 0; i &lt; v5; ++i )
  {
    if ( key[v3 % v5] &gt; &#39;@&#39; &amp;&amp; key[v3 % v5] &lt;= &#39;Z&#39; )
      key[i] = key[v3 % v5] + 32;               // key大写转换小写
    ++v3;
  }
  printf(&quot;Please input your flag:&quot;, src);
  while ( 1 )
  {
    v1 = getchar();
    if ( v1 == &#39;\n&#39; )
      break;
    if ( v1 == &#39; &#39; )
    {
      ++v2;
    }
    else
    {
      if ( v1 &lt;= &#39;`&#39; || v1 &gt; &#39;z&#39; )
      {
        if ( v1 &gt; &#39;@&#39; &amp;&amp; v1 &lt;= &#39;Z&#39; )
          str2[v2] = (v1 - 39 - key[v3++ % v5] + &#39;a&#39;) % 26 + &#39;a&#39;;
          //解出flag的关键操作
      }
      else
      {
        str2[v2] = (v1 - 39 - key[v3++ % v5] + &#39;a&#39;) % 26 + &#39;a&#39;;
      }
      if ( !(v3 % v5) )
        putchar(&#39; &#39;);
      ++v2;
    }
  }
  if ( !strcmp(text, str2) )                    // killshadow
    puts(&quot;Congratulation!\n&quot;);
  else
    puts(&quot;Try again!\n&quot;);
  return __readfsqword(0x28u) ^ v12;
}</code></pre>
<p>脚本</p>
<pre><code class="python">lt=&#39;ABCDEFGHIJKLMNOPQRSTUVWXYZ&#39;
key=list(&#39;ADSFKNDCLS&#39;.lower())
klens=len(key)

text=&#39;killshadow&#39;
flag=&#39;&#39;
for i in range(len(text)):
    str2=text[i]
    for c in lt:
        if str2== chr((ord(c) - 39 - ord(key[i  % klens]) + 97) % 26 + 97):
            flag+=c
            print(flag)

K
KL
KLD
KLDQ
KLDQC
KLDQCU
KLDQCUD
KLDQCUDF
KLDQCUDFZ
KLDQCUDFZO  #flag{KLDQCUDFZO}            </code></pre>
<hr>
<h3 id="CrackRTF"><a href="#CrackRTF" class="headerlink" title="CrackRTF"></a>CrackRTF</h3><p>这道题出的很巧妙</p>
<p>先来看主函数</p>
<pre><code class="c">int main_0()
{
  DWORD v0; // eax
  DWORD v1; // eax
  CHAR String; // [esp+4Ch] [ebp-310h]
  int v4; // [esp+150h] [ebp-20Ch]
  CHAR String1; // [esp+154h] [ebp-208h]
  BYTE pbData; // [esp+258h] [ebp-104h]

  memset(&amp;pbData, 0, 0x104u);
  memset(&amp;String1, 0, 0x104u);
  v4 = 0;
  printf(&quot;pls input the first passwd(1): &quot;);
  scanf(&quot;%s&quot;, &amp;pbData);
  if ( strlen((const char *)&amp;pbData) != 6 )
  {
    printf(&quot;Must be 6 characters!\n&quot;);
    ExitProcess(0);
  }
  v4 = atoi((const char *)&amp;pbData);             // ascii2int
  if ( v4 &lt; 100000 )
    ExitProcess(0);
  strcat((char *)&amp;pbData, &quot;@DBApp&quot;);
  v0 = strlen((const char *)&amp;pbData);
  sub_40100A(&amp;pbData, v0, &amp;String1);            // hash
  if ( !_strcmpi(&amp;String1, &quot;6E32D0943418C2C33385BC35A1470250DD8923A9&quot;) )// 123321@DBApp
  {
    printf(&quot;continue...\n\n&quot;);
    printf(&quot;pls input the first passwd(2): &quot;);
    memset(&amp;String, 0, 260u);
    scanf(&quot;%s&quot;, &amp;String);
    if ( strlen(&amp;String) != 6 )
    {
      printf(&quot;Must be 6 characters!\n&quot;);
      ExitProcess(0);
    }
    strcat(&amp;String, (const char *)&amp;pbData);
    memset(&amp;String1, 0, 0x104u);
    v1 = strlen(&amp;String);
    sub_401019((BYTE *)&amp;String, v1, &amp;String1);  //一样是hash加密
    if ( !_strcmpi(&quot;27019e688a4e62a649fd99cadaafdb4e&quot;, &amp;String1) )//无法爆破
    {
      if ( !sub_40100F(&amp;String) )   //关键在这个函数里
      {
        printf(&quot;Error!!\n&quot;);
        ExitProcess(0);
      }
      printf(&quot;bye ~~\n&quot;);
    }
  }
  return 0;
}</code></pre>
<p>进入<code>sub_40100F</code>中，发现代码基本上没见过，应该是用了一些库函数，网上找找</p>
<p>中间一些语句和函数的作用：</p>
<pre><code class="txt">LPCVOID是指向任何类型的常量的32位指针。
此类型声明如下：
 typedef const void * LPCVOID;

HRSRC FindResourceA(
  HMODULE hModule,
  LPCSTR  lpName,
  LPCSTR  lpType
);
FindResourceA function
Determines the location of a resource with the specified type and name in the specified module.
确定具有指定类型和名称的资源在指定模块中的位置。
hModule：处理包含资源的可执行文件的模块。NULL值则指定模块句柄指向操作系统通常情况下创建最近过程的相关位图文件。
lpName：指定资源名称。
lpType：指定资源类型。
返回值：如果函数运行成功，那么返回值为指向被指定资源信息块的句柄。为了获得这些资源，将这个句柄传递给LoadResource函数。如果函数运行失败，则返回值为NULL。


LoadResource function
检索一个句柄，该句柄可用于获取指向内存中指定资源的第一个字节的指针。


SizeofResource表示该函数返回指定资源的字节数大小。
</code></pre>
<p>让我们来看看函数</p>
<pre><code class="c">char __cdecl sub_4014D0(LPCSTR lpString)
{
  LPCVOID lpBuffer; // [esp+50h] [ebp-1Ch]
  DWORD NumberOfBytesWritten; // [esp+58h] [ebp-14h]
  DWORD nNumberOfBytesToWrite; // [esp+5Ch] [ebp-10h]
  HGLOBAL hResData; // [esp+60h] [ebp-Ch]
  HRSRC hResInfo; // [esp+64h] [ebp-8h]
  HANDLE hFile; // [esp+68h] [ebp-4h]

  hFile = 0;
  hResData = 0;
  nNumberOfBytesToWrite = 0;
  NumberOfBytesWritten = 0;
  hResInfo = FindResourceA(0, (LPCSTR)0x65, &quot;AAA&quot;);//从AAA文件中获取信息
  if ( !hResInfo )
    return 0;
  nNumberOfBytesToWrite = SizeofResource(0, hResInfo);
  hResData = LoadResource(0, hResInfo);
  if ( !hResData )
    return 0;
  lpBuffer = LockResource(hResData);//LockResource是指锁定资源并得到资源在内存中的第一个字节的指针。
  sub_401005(lpString, (int)lpBuffer, nNumberOfBytesToWrite);//这个函数中是异或操作
  hFile = CreateFileA(&quot;dbapp.rtf&quot;, 0x10000000u, 0, 0, 2u, 0x80u, 0);//新建一个dbapp.rtf文件
  if ( hFile == (HANDLE)-1 )
    return 0;
  if ( !WriteFile(hFile, lpBuffer, nNumberOfBytesToWrite, &amp;NumberOfBytesWritten, 0) )//写入flag
    return 0;
  CloseHandle(hFile);
  return 1;
}



unsigned int __cdecl sub_401420(LPCSTR lpString, int a2, int a3)//参数与sub_401005对应
{
  unsigned int result; // eax
  unsigned int i; // [esp+4Ch] [ebp-Ch]
  unsigned int v5; // [esp+54h] [ebp-4h]

  v5 = lstrlenA(lpString);
  for ( i = 0; ; ++i )
  {
    result = i;
    if ( i &gt;= a3 )//6
      break;
    *(_BYTE *)(i + a2) ^= lpString[i % v5];//将lpstring与a2中的每一位进行异或
  }                                        //lpstring是密码，a2是AAA文件中的前六位
  return result;
}</code></pre>
<p>这个异或操作的结果就是rtf文件头的前六位<code>{\rtf1</code>。</p>
<pre><code class="python">rtf = &#39;{\\rtf1&#39; #需要注意，\r需要转义，变成\\r
A = [0x05, 0x7D, 0x41, 0x15, 0x26, 0x01]
password=&#39;&#39;
for i in range(len(rtf)):
    x = ord(rtf[i]) ^ A[i]
    password+=chr(x)
print(password)
#第二段密码为：~!3a@0</code></pre>
<p>将密码输入程序中就会生成rtf文件，flag就在文件里</p>
<p>这道题目和我之前做过的感觉都不一样，长见识了</p>
<hr>
<h3 id="简单注册机"><a href="#简单注册机" class="headerlink" title="简单注册机"></a>简单注册机</h3><p>安卓逆向，打开apk反编译工具，查看源码，关键包在这里</p>
<pre><code class="java">package com.example.flag;

import android.text.Editable;
import android.view.View;
import android.view.View.OnClickListener;
import android.widget.EditText;
import android.widget.TextView;

class MainActivity$1
  implements View.OnClickListener
{
  MainActivity$1(MainActivity paramMainActivity, EditText paramEditText, TextView paramTextView) {}

  public void onClick(View paramView)
  {
    int j = 1;
    paramView = this.val$editview.getText().toString();
    if ((paramView.length() != 32) || (paramView.charAt(31) != &#39;a&#39;) || (paramView.charAt(1) != &#39;b&#39;) || (paramView.charAt(0) + paramView.charAt(2) - 48 != 56)) {
      j = 0;
    }
    if (j == 1)
    {
      paramView = &quot;dd2940c04462b4dd7c450528835cca15&quot;.toCharArray();//字符串转为数组
      paramView[2] = ((char)(paramView[2] + paramView[3] - 50));
      paramView[4] = ((char)(paramView[2] + paramView[5] - 48));
      paramView[30] = ((char)(paramView[31] + paramView[9] - 48));
      paramView[14] = ((char)(paramView[27] + paramView[28] - 97));
      j = 0;
      for (;;)
      {
        if (j &gt;= 16)
        {
          paramView = String.valueOf(paramView);
          this.val$textview.setText(&quot;flag{&quot; + paramView + &quot;}&quot;);
          return;
        }
        int i = paramView[(31 - j)];
        paramView[(31 - j)] = paramView[j];
        paramView[j] = i;
        j += 1;
      }
    }
    this.val$textview.setText(&quot;输入注册码错误&quot;);
  }
}
</code></pre>
<hr>
<h3 id="8086"><a href="#8086" class="headerlink" title="8086"></a>8086</h3><p>第二次BJDCTF…循环异或</p>
<pre><code class="python">s=[93,  85,  91, 100, 117, 126, 124, 116,  64, 123, 
  122,  64, 119, 106,  46, 125,  46, 126, 113,  64, 
  103, 106, 122, 123, 122,  64, 119, 122, 113,  87, 
  126,  47,  98,  59]
flag = &#39;&#39;
for i in s:
    flag+=chr(i^0x1f)
print (flag)</code></pre>
<hr>
<h2 id="misc"><a href="#misc" class="headerlink" title="misc"></a>misc</h2><h3 id="最简单的misc"><a href="#最简单的misc" class="headerlink" title="最简单的misc"></a>最简单的misc</h3><p>zip伪加密，打开secret缺少png文件头，补上得到hex转str就可以了</p>
<hr>
<h1 id="DAY-2"><a href="#DAY-2" class="headerlink" title="DAY 2"></a>DAY 2</h1><h2 id="reverse-1"><a href="#reverse-1" class="headerlink" title="reverse"></a>reverse</h2><h3 id="luck-guy"><a href="#luck-guy" class="headerlink" title="luck_guy"></a>luck_guy</h3><p>拖入IDA，进入主函数</p>
<p><img src="https://cdn.jsdelivr.net/gh/13slie/blog-gh/blogimg/20200505194750.png" alt=""></p>
<p>把输入的数据放入patch_me中作为参数</p>
<p>进入patch_me函数中</p>
<p><img src="https://cdn.jsdelivr.net/gh/13slie/blog-gh/blogimg/20200505201057.png" alt=""></p>
<p>跟进get_flag()</p>
<pre><code class="c">unsigned __int64 get_flag()
{
  unsigned int v0; // eax
  char v1; // al
  signed int i; // [rsp+4h] [rbp-3Ch]
  signed int j; // [rsp+8h] [rbp-38h]
  __int64 s; // [rsp+10h] [rbp-30h]
  char v6; // [rsp+18h] [rbp-28h]
  unsigned __int64 v7; // [rsp+38h] [rbp-8h]

  v7 = __readfsqword(0x28u);
  v0 = time(0LL);
  srand(v0);
  for ( i = 0; i &lt;= 4; ++i )
  {
    switch ( rand() % 200 )         //生成0-199的随机数
    {
      case 1:
        puts(&quot;OK, it&#39;s flag:&quot;);
        memset(&amp;s, 0, 0x28uLL);
        strcat((char *)&amp;s, f1);      //f1中存的是flag的前半段&#39;GXY{do_not_&#39;
        strcat((char *)&amp;s, &amp;f2);     //与f2进行拼接，f2初始值为空
        printf(&quot;%s&quot;, &amp;s);
        break;
      case 2:
        printf(&quot;Solar not like you&quot;);
        break;
      case 3:
        printf(&quot;Solar want a girlfriend&quot;);
        break;
      case 4:
        v6 = 0;
        s = 9180147350284624745LL;  //0x7F666F6067756369LL
        strcat(&amp;f2, (const char *)&amp;s);
        break;
      case 5:
        for ( j = 0; j &lt;= 7; ++j )
        {
          if ( j % 2 == 1 )
            v1 = *(&amp;f2 + j) - 2;
          else
            v1 = *(&amp;f2 + j) - 1;
          *(&amp;f2 + j) = v1;
        }
        break;
      default:
        puts(&quot;emmm,you can&#39;t find flag 23333&quot;);
        break;
    }
  }
  return __readfsqword(0x28u) ^ v7;
}</code></pre>
<p>只有依次通过case4，case5，case1才能得到flag</p>
<p>判断出顺序之后就能写脚本跑flag了</p>
<pre><code class="python">f2 = [0x69,0x63,0x75,0x67,0x60,0x6f,0x66,0x7f,0 ]
for i in range(8):
    if i % 2 == 1:
        f2[i]-= 2
    else:
        f2[i]-= 1
f1 = &quot;GXY{do_not_&quot;
print (f1,end=&quot;&quot;)
for i in range(8):
    print (chr(f2[i]),end=&quot;&quot;)
#GXY{do_not_hate_me}</code></pre>
<hr>
<h2 id="crypto-1"><a href="#crypto-1" class="headerlink" title="crypto"></a>crypto</h2><h3 id="cat-flag"><a href="#cat-flag" class="headerlink" title="cat_flag"></a>cat_flag</h3><p>鸡腿猫是1，饭团猫是0，二进制转字符串就是flag</p>
<p><img src="https://cdn.jsdelivr.net/gh/13slie/blog-gh/blogimg/20200505224121.png" alt=""></p>
<h3 id="灵能精通"><a href="#灵能精通" class="headerlink" title="灵能精通"></a>灵能精通</h3><p>猪圈密码的变种</p>
<p><img src="https://cdn.jsdelivr.net/gh/13slie/blog-gh/blogimg/20200505224536.png" alt=""></p>
<p>对照解密即可</p>
<h3 id="燕言燕语"><a href="#燕言燕语" class="headerlink" title="燕言燕语"></a>燕言燕语</h3><p><img src="https://cdn.jsdelivr.net/gh/13slie/blog-gh/blogimg/20200505225522.png" alt=""></p>
<p>维吉尼亚密码，key就是yanzi，解密即得flag</p>
<p><img src="https://cdn.jsdelivr.net/gh/13slie/blog-gh/blogimg/20200505225757.png" alt=""></p>
<h3 id="Y1nglish"><a href="#Y1nglish" class="headerlink" title="Y1nglish"></a>Y1nglish</h3><p>长字段的加密</p>
<pre><code class="txt">Nkbaslk ds sef aslckdqdqst. Sef aslckdqdqst qo lzqtbw usf ufkoplkt zth oscpslsfko. Dpkfk zfk uqjk dwcko su dscqao qt dpqo aslckdqdqst, kzap su npqap qo jkfw mzoqa. Qu wse zfk qtdkfkodkh qt tkdnsfw okaefqdw, nkbaslk ds czfdqaqczdk. Bkd lk dkbb wse z odsfw.
Q nzo pzjqtv hqttkf zd z fkodzefztd npkt Pzffw Odkkbk azlk qt, pk qo z Izcztkok ufsl Izczt med tsn pk qo tsd bqjqtv qt Izczt, lzwmk Pzffw qot&#39;d z Izcztkok tzlk med pk qo fkzbbw z Izcztkok. Pzffw nsfwkh qt z bznwkf&#39;o suuqak wkzfo zvs, med pk qo tsn nsfwqtv zd z mztw. Pk vkdo z vssh ozbzfw, med pk zbnzwo msffsno lstkw ufsl pqo ufqktho zth tkjkf czwo qd mzaw. Pzffw ozn lk zth azlk zthozdzd dpk ozlk dzmbk. Pk pzo tkjkf msffsnkh lstkw ufsl lk. Npqbk pk nzo kzdqtv, Q zowkh pql ds bkth lk &amp;2. Ds lw oefcfqok, pk vzjk lk dpk lstkw qllkhqzdkbw. &#39;Q pzjk tkjkf msfffsnkh ztw lstkw ufsl wse,&#39; Pzffw ozqh,&#39;os tsn wse azt czw usf lw hqttkf!&#39; Tsn q nqbb vqjk wse npzd wse nztd.
MIH{cwdp0t_Mfed3_u0fa3_sF_geqcgeqc_ZQ_Af4aw}</code></pre>
<p>最后一句明显的flag格式，直接上<a href="https://quipqiup.com/做就行了" target="_blank" rel="noopener">https://quipqiup.com/做就行了</a></p>
<p><img src="https://cdn.jsdelivr.net/gh/13slie/blog-gh/blogimg/20200505230327.png" alt=""></p>
<pre><code class="txt">Welcome to our competition. Our competition is mainly for freshmen and sophomores. There are five types of topics in this competition, each of which is very basic. If you are interested in networy security, welcome to participate. Let me tell you a story. I was having dinner at a restaurant when Harry Steele came in, he is a Japanese from Japan but now he is not living in Japan, maybe Harry isn&#39;t a Japanese name but he is really a Japanese. Harry woryed in a lawyer&#39;s office years ago, but he is now worying at a bany. He gets a good salary, but he always borrows money from his friends and never pays it bacy. Harry saw me and came andsatat the same table. He has never borrowed money from me. While he was eating, I asyed him to lend me &amp;2. To my surprise, he gave me the money immediately. &#39;I have never borrrowed any money from you,&#39; Harry said,&#39;so now you can pay for my dinner!&#39; Now i will give you what you want. BJD{pyth0n_Brut3_f0rc3_oR_quipquip_AI_Cr4cy}</code></pre>
<p>有个单词拼错了最后的y应该改为k</p>
<h1 id="DAY-3"><a href="#DAY-3" class="headerlink" title="DAY 3"></a>DAY 3</h1><h2 id="reverse-2"><a href="#reverse-2" class="headerlink" title="reverse"></a>reverse</h2><h3 id="Youngter-drive"><a href="#Youngter-drive" class="headerlink" title="Youngter-drive"></a>Youngter-drive</h3><p>打开程序发现加了upx的壳，脱壳后ida打开</p>
<p>进入主函数</p>
<p><img src="https://cdn.jsdelivr.net/gh/13slie/blog-gh/blogimg/20200506232425.png" alt=""></p>
<p>主函数就是读取输入，然后运行两个线程，加密操作后，与<code>TOiZiZtOrYaToUwPnToBsOaOapsyS&#39;</code>进行比对。</p>
<p>加密函数在sub_411940里，但是存在堆栈不平衡的问题导致反编译失败，所以需要手动修改。</p>
<p><img src="https://cdn.jsdelivr.net/gh/13slie/blog-gh/blogimg/20200506232233.png" alt=""></p>
<p><img src="https://cdn.jsdelivr.net/gh/13slie/blog-gh/blogimg/20200506233431.png" alt=""></p>
<p>如上图，将<code>-04</code>改为<code>000</code>即可，具体操作是从<a href="https://stackoverflow.com/questions/10165511/ida-positive-sp-value-has-been-found-error" target="_blank" rel="noopener">starkoverflow</a>上看到的</p>
<p>Hint: in <em>Options</em> &gt; <em>General</em>, you can enable an option to <em>Display Stack pointer</em> on the left side of each instruction, which makes it easier to see where it changes and how, especially in graph mode.</p>
<p>就是在<em>Options</em> &gt; <em>General</em>选项里把，starkpoint选中就可以看到前面的栈指针了，然后用alt+k修改即可</p>
<p><img src="https://cdn.jsdelivr.net/gh/13slie/blog-gh/blogimg/20200506234129.png" alt=""></p>
<p>修改后就可以f5了</p>
<p><img src="https://cdn.jsdelivr.net/gh/13slie/blog-gh/blogimg/20200506234437.png" alt=""></p>
<p>写脚本解密</p>
<pre><code class="python">off_418000 = &quot;QWERTYUIOPASDFGHJKLZXCVBNMqwertyuiopasdfghjklzxcvbnm&quot;

off_418004 = &quot;TOiZiZtOrYaToUwPnToBsOaOapsyS&quot;

flag=&#39;&#39;

for i in range(len(off_418004)):
    if i %2 == 0:
        flag += off_418004[i]
        continue
    for j,k in enumerate(off_418000):
        if off_418004[i] == k:
            if chr(j+38).isupper():
                flag += chr(j+38)
            else:
                flag += chr(j+96)

print (flag)
#ThisisthreadofwindowshahaIsES</code></pre>
<p>但是输入长度有30位，少了一位，按理应该填什么都可以，但是BUU上的最后一位是E，应该是后台就存了一个flag吧。</p>
<h3 id="相册"><a href="#相册" class="headerlink" title="相册"></a>相册</h3><p>安卓逆向</p>
<p>先解压.apk包，然后dex2jar</p>
<p><img src="https://cdn.jsdelivr.net/gh/13slie/blog-gh/blogimg/20200507200553.png" alt=""></p>
<p>然后用jadx-gui打开生成的classes-dex2jar.jar文件</p>
<p><img src="https://cdn.jsdelivr.net/gh/13slie/blog-gh/blogimg/20200507201117.png" alt=""></p>
<p>打开后看到有base加密的信息，推测flag应该是一段base，根据题目提示flag为邮箱，搜索mail</p>
<p><img src="https://cdn.jsdelivr.net/gh/13slie/blog-gh/blogimg/20200507202051.png" alt=""></p>
<p>进入sendMailByJavaMail()，可以看到有MAILSERVER方法，右击查找用例</p>
<p><img src="https://cdn.jsdelivr.net/gh/13slie/blog-gh/blogimg/20200507202433.png" alt=""></p>
<p>但是NativeMethod中并没有字符串信息</p>
<pre><code class="java">static {
        System.loadLibrary(&quot;core&quot;);//调用外部资源
    }</code></pre>
<p>IDA打开libcore.so文件，找到NativeMethod_m</p>
<p><img src="https://cdn.jsdelivr.net/gh/13slie/blog-gh/blogimg/20200507203207.png" alt=""></p>
<p>这一串解密就是flag了</p>
<h3 id="GWCTF-2019-pyre"><a href="#GWCTF-2019-pyre" class="headerlink" title="[GWCTF 2019]pyre"></a>[GWCTF 2019]pyre</h3><p>python逆向，网站上把.pyc文件反编译成py代码,代码如下</p>
<pre><code class="python">#!/usr/bin/env python
# encoding: utf-8
# 如果觉得不错，可以推荐给你的朋友！http://tool.lu/pyc
print &#39;Welcome to Re World!&#39;
print &#39;Your input1 is your flag~&#39;
l = len(input1)
for i in range(l):
    num = ((input1[i] + i) % 128 + 128) % 128
    code += num

for i in range(l - 1):
    code[i] = code[i] ^ code[i + 1]

print code
code = [
    &#39;\x1f&#39;,
    &#39;\x12&#39;,
    &#39;\x1d&#39;,
    &#39;(&#39;,
    &#39;0&#39;,
    &#39;4&#39;,
    &#39;\x01&#39;,
    &#39;\x06&#39;,
    &#39;\x14&#39;,
    &#39;4&#39;,
    &#39;,&#39;,
    &#39;\x1b&#39;,
    &#39;U&#39;,
    &#39;?&#39;,
    &#39;o&#39;,
    &#39;6&#39;,
    &#39;*&#39;,
    &#39;:&#39;,
    &#39;\x01&#39;,
    &#39;D&#39;,
    &#39;;&#39;,
    &#39;%&#39;,
    &#39;\x13&#39;]
</code></pre>
<p>只是简单的按位异或、异或可逆，倒过来再异或一遍就行了</p>
<pre><code class="python">code = [&#39;\x1f&#39;,&#39;\x12&#39;,&#39;\x1d&#39;,&#39;(&#39;,&#39;0&#39;,
    &#39;4&#39;,&#39;\x01&#39;,&#39;\x06&#39;,&#39;\x14&#39;,&#39;4&#39;,
    &#39;,&#39;,&#39;\x1b&#39;,&#39;U&#39;,&#39;?&#39;,&#39;o&#39;,&#39;6&#39;,
    &#39;*&#39;,&#39;:&#39;,&#39;\x01&#39;,&#39;D&#39;,&#39;;&#39;,&#39;%&#39;,&#39;\x13&#39;]

for i in range(len(code)-2,-1,-1):
    code[i] = chr(ord(code[i])^ord(code[i+1]))
for i in range(len(code)):
    print(chr((ord(code[i])-i)%128),end=&quot;&quot;)</code></pre>
<h3 id="SUCTF2019-SignIn"><a href="#SUCTF2019-SignIn" class="headerlink" title="[SUCTF2019]SignIn"></a>[SUCTF2019]SignIn</h3><p>比赛时做过了，简单写一下思路，RSA算法，直接分解n就可求解，套个RSA的模板就行。</p>
<h3 id="2019红帽杯-easyRE"><a href="#2019红帽杯-easyRE" class="headerlink" title="[2019红帽杯]easyRE"></a>[2019红帽杯]easyRE</h3><p>无壳，拖入IDA，Shift+f12进入String窗口</p>
<p><img src="https://cdn.jsdelivr.net/gh/13slie/blog-gh/blogimg/20200508120047.png" alt=""></p>
<p>发现一串base，解密，套了好几层发现是个看雪的博客。。。没什么用</p>
<p><img src="https://cdn.jsdelivr.net/gh/13slie/blog-gh/blogimg/20200508121236.png" alt=""></p>
<p>也没用。。。不过给出了一个提示</p>
<pre><code class="c">v57 = __readfsqword(0x28u);
  v15 = 73;
  v16 = 111;
  v17 = 100;
  v18 = 108;
  v19 = 62;
  v20 = 81;
  v21 = 110;
  v22 = 98;
  v23 = 40;
  v24 = 111;
  v25 = 99;
  v26 = 121;
  v27 = 127;
  v28 = 121;
  v29 = 46;
  v30 = 105;
  v31 = 127;
  v32 = 100;
  v33 = 96;
  v34 = 51;
  v35 = 119;
  v36 = 125;
  v37 = 119;
  v38 = 101;
  v39 = 107;
  v40 = 57;
  v41 = 123;
  v42 = 105;
  v43 = 121;
  v44 = 61;
  v45 = 126;
  v46 = 121;
  v47 = 76;
  v48 = 64;
  v49 = 69;
  v50 = 67;
  memset(v51, 0, sizeof(v51));
  v52 = 0;
  v53 = 0;
  sub_4406E0(0LL, (__int64)v51);
  v53 = 0;
  LODWORD(v0) = sub_424BA0((const __m128i *)v51);
  if ( v0 == 36 )
  {
    for ( i = 0; ; ++i )
    {
      LODWORD(v2) = sub_424BA0((const __m128i *)v51);
      if ( i &gt;= v2 )
        break;
      if ( (unsigned __int8)(v51[i] ^ i) != *(&amp;v15 + i) )
      {
        result = 4294967294LL;
        goto LABEL_13;
      }
    }
    sub_410CC0(&quot;continue!&quot;);</code></pre>
<p>将上面的一串异或处理后</p>
<pre><code class="python">code = [73,111,100,108,62,81,110,98,40,111,99,121,127,121,46,105,127,100,96,51,119,125,
       119,101,107,57,123,105,121,61,126,121,76,64,69,67]

dec = &#39;&#39;
for i in range(36):
    dec += chr(code[i]^i)

print(dec)
#Info:The first four chars are `flag`</code></pre>
<p>提示前四位字符是<code>flag</code></p>
<p>有用的在那串base下面的数组里和sub_400D35()函数里</p>
<p><img src="https://cdn.jsdelivr.net/gh/13slie/blog-gh/blogimg/20200508121411.png" alt=""></p>
<p>sub_400D35()函数是flag的加密函数</p>
<pre><code class="c">__int64 sub_400D35()
{
  __int64 result; // rax
  unsigned __int64 v1; // rt1
  unsigned int v2; // [rsp+Ch] [rbp-24h]
  signed int i; // [rsp+10h] [rbp-20h]
  signed int j; // [rsp+14h] [rbp-1Ch]
  unsigned int v5; // [rsp+24h] [rbp-Ch]
  unsigned __int64 v6; // [rsp+28h] [rbp-8h]

  v6 = __readfsqword(0x28u);
  v2 = sub_43FD20(0LL) - qword_6CEE38;
  for ( i = 0; i &lt;= 1233; ++i )
  {
    sub_40F790(v2);
    sub_40FE60();
    sub_40FE60();
    v2 = (unsigned __int64)sub_40FE60() ^ 0x98765432;
  }
  v5 = v2;
  if ( ((unsigned __int8)v2 ^ byte_6CC0A0[0]) == &#39;f&#39; &amp;&amp; (HIBYTE(v5) ^ (unsigned __int8)byte_6CC0A3) == &#39;g&#39; )//byte_6CC0A0前四位和v2异或是`flag`,可以推出第二段异或的key，也就是v5
  {
    for ( j = 0; j &lt;= 24; ++j )
      sub_410E90((unsigned __int8)(byte_6CC0A0[j] ^ *((_BYTE *)&amp;v5 + j % 4)));// 第二段异或
  }
  v1 = __readfsqword(0x28u);
  result = v1 ^ v6;
  if ( v1 != v6 )
    sub_444020();
  return result;
}</code></pre>
<p>解密脚本</p>
<pre><code class="python">code = [
  0x40, 0x35, 0x20, 0x56, 0x5D, 0x18, 0x22, 0x45, 0x17, 0x2F, 
  0x24, 0x6E, 0x62, 0x3C, 0x27, 0x54, 0x48, 0x6C, 0x24, 0x6E, 
  0x72, 0x3C, 0x32, 0x45, 0x5B]
code_1=&#39;flag&#39;
key=&#39;&#39;
flag=&#39;&#39;
for i in range(4):
    key += chr(code[i]^ord(code_1[i]))  #first xor
print (key)
for i in range(len(code)):
    flag += chr(code[i]^ord(key[i%4]))  #second xor
print(flag)
#key = &amp;YA1
#flag{Act1ve_Defen5e_Test}</code></pre>
<h3 id="BJDCTF2020-JustRE"><a href="#BJDCTF2020-JustRE" class="headerlink" title="[BJDCTF2020]JustRE"></a>[BJDCTF2020]JustRE</h3><pre><code class="c">BOOL __stdcall DialogFunc(HWND hWnd, UINT a2, WPARAM a3, LPARAM a4)
{
  CHAR String; // [esp+0h] [ebp-64h]

  if ( a2 != 272 )
  {
    if ( a2 != 273 )
      return 0;
    if ( (_WORD)a3 != 1 &amp;&amp; (_WORD)a3 != 2 )
    {
      sprintf(&amp;String, &amp;aD, ++dword_4099F0);
      if ( dword_4099F0 == 19999 )
      {
        sprintf(&amp;String, aBjdDD2069a4579, 19999, 0);// BJD{%d%d2069a45792d233ac}代码补齐
                                                // 1999902069a45792d233ac
        SetWindowTextA(hWnd, &amp;String);
        return 0;
      }
      SetWindowTextA(hWnd, &amp;String);
      return 0;
    }
    EndDialog(hWnd, (unsigned __int16)a3);
  }
  return 1;
}</code></pre>
<h3 id="crackMe"><a href="#crackMe" class="headerlink" title="crackMe"></a>crackMe</h3><pre><code class="c">int __usercall wmain@&lt;eax&gt;(int a1@&lt;ebx&gt;)
{
  FILE *v1; // eax
  FILE *v2; // eax
  char v4; // [esp+3h] [ebp-405h]
  char v5; // [esp+4h] [ebp-404h]
  char v6; // [esp+5h] [ebp-403h]
  char v7; // [esp+104h] [ebp-304h]
  char v8; // [esp+105h] [ebp-303h]
  char v9; // [esp+204h] [ebp-204h]
  char v10; // [esp+205h] [ebp-203h]
  char v11; // [esp+304h] [ebp-104h]
  char v12; // [esp+305h] [ebp-103h]

  printf(&quot;Come one! Crack Me~~~\n&quot;);
  v11 = 0;
  memset(&amp;v12, 0, 0xFFu);     //user
  v9 = 0;
  memset(&amp;v10, 0, 0xFFu);     //passwd
  while ( 1 )
  {
    do
    {
      do
      {
        printf(&quot;user(6-16 letters or numbers):&quot;);
        scanf(&quot;%s&quot;, &amp;v11);
        v1 = (FILE *)sub_4024BE();            //文件流指针
        fflush(v1);                           //更新缓存
      }
      while ( !sub_401000(&amp;v11) );            //长度判断
      printf(&quot;password(6-16 letters or numbers):&quot;);
      scanf(&quot;%s&quot;, &amp;v9);
      v2 = (FILE *)sub_4024BE();
      fflush(v2);
    }
    while ( !sub_401000(&amp;v9) );
    sub_401090(&amp;v11);
    v7 = 0;
    memset(&amp;v8, 0, 0xFFu);
    v5 = 0;
    memset(&amp;v6, 0, 0xFFu);
    v4 = ((int (__cdecl *)(char *, char *))loc_4011A0)(&amp;v7, &amp;v5);
    if ( sub_401830(a1, (int)&amp;v11, &amp;v9) )       //主要的一块函数
    {
      if ( v4 )
        break;
    }
    printf(&amp;v5);
  }
  printf(&amp;v7);
  return 0;
}</code></pre>
<p>前面的就是一个输入操作，主要看<code>sub_401830</code>;</p>
<pre><code class="c">bool __usercall sub_401830@&lt;al&gt;(int ebx0@&lt;ebx&gt;, int a1, const char *a2)
{
  int v4; // [esp+18h] [ebp-22Ch]
  signed int v5; // [esp+1Ch] [ebp-228h]
  signed int v6; // [esp+28h] [ebp-21Ch]
  unsigned int v7; // [esp+30h] [ebp-214h]
  char v8; // [esp+36h] [ebp-20Eh]
  char v9; // [esp+37h] [ebp-20Dh]
  char v10; // [esp+38h] [ebp-20Ch]
  unsigned __int8 v11; // [esp+39h] [ebp-20Bh]
  unsigned __int8 v12; // [esp+3Ah] [ebp-20Ah]
  char v13; // [esp+3Bh] [ebp-209h]
  int v14; // [esp+3Ch] [ebp-208h]
  char v15; // [esp+40h] [ebp-204h]
  char v16; // [esp+41h] [ebp-203h]
  char v17; // [esp+140h] [ebp-104h]
  char v18; // [esp+141h] [ebp-103h]

  v5 = 0;
  v6 = 0;
  v12 = 0;
  v11 = 0;
  v17 = 0;
  memset(&amp;v18, 0, 0xFFu);
  v15 = 0;
  memset(&amp;v16, 0, 0xFFu);
  v10 = 0;
  v7 = 0;
  v4 = 0;
  while ( v7 &lt; strlen(a2) )
  {
    if ( isdigit(a2[v7]) )                      // isdigit() 用来检测一个字符是否是十进制数字
    {
      v9 = a2[v7] - 48;                         // 转int型
    }
    else if ( isxdigit(a2[v7]) )                // isxdigit() 用来检测一个字符是否是十六进制数字。
    {
      if ( *(_DWORD *)(*(_DWORD *)(__readfsdword(0x30u) + 24) + 12) != 2 )
        a2[v7] = 34;
      v9 = (a2[v7] | 0x20) - 87;                // 转int型
    }
    else
    {
      v9 = ((a2[v7] | 0x20) - 97) % 6 + 10;     // 按字母顺序，分为6组，10到15
    }
    v10 = v9 + 16 * v10;
    if ( !((signed int)(v7 + 1) % 2) )          // 偶数位处理
    {
      *(&amp;v15 + v4++) = v10;
      ebx0 = v4;
      v10 = 0;
    }
    ++v7;
  }
  while ( v6 &lt; 8 )                              // 一些变换
  {
    v11 += byte_416050[++v12];
    v13 = byte_416050[v12];
    v8 = byte_416050[v11];
    byte_416050[v11] = v13;
    byte_416050[v12] = v8;
    if ( *(_DWORD *)(__readfsdword(0x30u) + 104) &amp; 0x70 )
      v13 = v11 + v12;
    *(&amp;v17 + v6) = byte_416050[(unsigned __int8)(v8 + v13)] ^ *(&amp;v15 + v5);// v17通过byte_416050与v14异或生成
    if ( *(_DWORD *)(__readfsdword(0x30u) + 2) &amp; 0xFF )
    {
      v11 = -83;
      v12 = 43;
    }
    sub_401710((int)&amp;v17, (const char *)a1, v6++);
    v5 = v6;
    if ( v6 &gt;= (unsigned int)(&amp;v15 + strlen(&amp;v15) + 1 - &amp;v16) )
      v5 = 0;
  }
  v14 = 0;
  sub_401470(ebx0, &amp;v17, &amp;v14);                 // dbappsec
  return v14 == 43924;
}</code></pre>
<p>先是将密码转为整型两两组合，然后在while循环中进行复杂变换生成v17数组，函数<code>sub_401470</code>返回的v17的值应该为<code>dbappsec</code>;</p>
<pre><code class="c">_DWORD *__usercall sub_401470@&lt;eax&gt;(int a1@&lt;ebx&gt;, _BYTE *a2, _DWORD *a3)
{
  int v3; // ST28_4
  int v4; // ecx
  _DWORD *_EAX; // eax
  int v6; // edx
  int v8; // ST20_4
  int v9; // eax
  int v10; // edi
  int v11; // ST1C_4
  int v12; // edx
  char v13; // di
  int v14; // ST18_4
  int v15; // eax
  int v16; // ST14_4
  int v17; // edx
  char v18; // al
  int v19; // ST10_4
  int v20; // ecx
  char _AL; // al
  int v23; // ST0C_4
  int v24; // eax
  _DWORD *result; // eax
  int v26; // edx

  if ( *a2 == &#39;d&#39; )
  {
    *a3 |= 4u;
    v4 = *a3;
  }
  else
  {
    *a3 ^= 3u;
  }
  v3 = *a3;
  if ( a2[1] == &#39;b&#39; )
  {
    _EAX = a3;
    *a3 |= 0x14u;
    v6 = *a3;
  }
  else
  {
    *a3 &amp;= 0x61u;
    _EAX = (_DWORD *)*a3;
  }
  __asm { aam }
  if ( a2[2] == &#39;a&#39; )
  {
    *a3 |= 0x84u;
    v9 = *a3;
  }
  else
  {
    *a3 &amp;= 0xAu;
  }
  v8 = *a3;
  v10 = ~(a1 &gt;&gt; -91);
  if ( a2[3] == &#39;p&#39; )
  {
    *a3 |= 0x114u;
    v12 = *a3;
  }
  else
  {
    *a3 &gt;&gt;= 7;
  }
  v11 = *a3;
  v13 = v10 - 1;
  if ( a2[4] == &#39;p&#39; )
  {
    *a3 |= 0x380u;
    v15 = *a3;
  }
  else
  {
    *a3 *= 2;
  }
  v14 = *a3;
  if ( *(_DWORD *)(*(_DWORD *)(__readfsdword(0x30u) + 24) + 12) != 2 )
  {
    if ( a2[5] == &#39;f&#39; )
    {
      *a3 |= 0x2DCu;
      v17 = *a3;
    }
    else
    {
      *a3 |= 0x21u;
    }
    v16 = *a3;
  }
  if ( a2[5] == &#39;s&#39; )
  {
    *a3 |= 0xA04u;
    v18 = (char)a3;
    v20 = *a3;
  }
  else
  {
    v18 = (char)a3;
    *a3 ^= 0x1ADu;
  }
  v19 = *a3;
  _AL = v18 - v13;
  __asm { daa }
  if ( a2[6] == &#39;e&#39; )
  {
    *a3 |= 0x2310u;
    v24 = *a3;
  }
  else
  {
    *a3 |= 0x4Au;
  }
  v23 = *a3;
  if ( a2[7] == &#39;c&#39; )
  {
    result = a3;
    *a3 |= 0x8A10u;
    v26 = *a3;
  }
  else
  {
    *a3 &amp;= 0x3A3u;
    result = (_DWORD *)*a3;
  }
  return result;                                // dbappsec
}</code></pre>
<p>题目中给出用户名是<code>welcomebeijing</code>；然后根据v17通过byte_416050与变换的密码异或生成，通过动态调试来求密码。</p>
<p>关键位置在这里：</p>
<p><img src="https://cdn.jsdelivr.net/gh/13slie/blog-gh/blogimg/20200510005556.png" alt=""></p>
<p>在这个位置异或操作后ECX寄存器中的数据就是密码啦，记录下来就是</p>
<blockquote>
<p>0x2a, 0xd7, 0x92, 0xe9, 0x53, 0xe2, 0xc4, 0xcd</p>
</blockquote>
<p>剩下的就是写脚本求解了</p>
<pre><code class="python">import hashlib

code = [0x2a, 0xd7, 0x92, 0xe9, 0x53, 0xe2, 0xc4, 0xcd]
s = &quot;dbappsec&quot;

secret = []

for i in range(len(s)):
    secret.append(hex(ord(s[i])^code[i]).replace(&quot;0x&quot;,&#39;&#39;))
flag = &#39;&#39;.join(secret)
md = hashlib.md5()
md.update(flag.encode(&#39;utf-8&#39;))
print (&quot;flag{&quot;+md.hexdigest()+&quot;}&quot;)
#flag{d2be2981b84f2a905669995873d6a36c}</code></pre>
<h3 id="CSRe"><a href="#CSRe" class="headerlink" title="CSRe"></a>CSRe</h3><p>打开程序发现是.NET，并且输出有乱码：</p>
<pre><code class="txt">未经处理的异常:  System.Exception: The assembly CS_exe.exe has been built with an evaluation version of Eazfuscator.NET, which has expired.
   在 .(Boolean )
   在 ?.(String[] )</code></pre>
<p>dnspy打开发现有混淆，ScanId查混淆也没查出来是啥。。</p>
<pre><code class="c#">// \u0002
// Token: 0x06000001 RID: 1 RVA: 0x00002050 File Offset: 0x00000250
public static string \u0002()
{
    return \u0008\u2000.\u0002(-102257640);
}
//混淆</code></pre>
<p>好在de4dot能解。</p>
<p>反混淆后</p>
<pre><code class="c#">// Class3
// Token: 0x0600000F RID: 15 RVA: 0x00002374 File Offset: 0x00000574
private static void Main(string[] args)
{
    if (!Class1.smethod_1())
    {
        return;
    }
    bool flag = true;
    Class3 @class = new Class3();
    string str = Console.ReadLine();
    if (Class3.smethod_0(&quot;3&quot; + str + &quot;9&quot;) != &quot;B498BFA2498E21325D1178417BEA459EB2CD28F8&quot;)
    {
        flag = false;
    }
    string text = Console.ReadLine();
    string string_ = Class3.smethod_0(&quot;re&quot; + text);
    string text2 = @class.method_0(string_, &quot;63143B6F8007B98C53CA2149822777B3566F9241&quot;);
    for (int i = 0; i &lt; text2.Length; i++)
    {
        if (text2[i] != &#39;0&#39;)
        {
            flag = false;
        }
    }
    if (flag)
    {
        Console.WriteLine(&quot;flag{&quot; + str + text + &quot;}&quot;);
    }
}
//逻辑很清晰，smethod_0是对字符串进行sha1加密后大写Hex输出，所以只需要将这两串进行sha1解密就可以了
//B498BFA2498E21325D1178417BEA459EB2CD28F8=314159
//63143B6F8007B98C53CA2149822777B3566F9241=return
//去掉3，9，re后组装为flag
//flag{1415turn}</code></pre>
<h1 id="DAY-4"><a href="#DAY-4" class="headerlink" title="DAY 4"></a>DAY 4</h1><p>emmm 网鼎杯开始了，先咕一天。</p>
<h1 id="DAY-5"><a href="#DAY-5" class="headerlink" title="DAY 5"></a>DAY 5</h1><h2 id="reverse-3"><a href="#reverse-3" class="headerlink" title="reverse"></a>reverse</h2><h3 id="ACTF新生赛2020-easyre"><a href="#ACTF新生赛2020-easyre" class="headerlink" title="[ACTF新生赛2020]easyre"></a>[ACTF新生赛2020]easyre</h3><p>UPX加壳了，脱壳机脱壳后拖入IDA</p>
<p>进入主函数</p>
<pre><code class="c">int __cdecl main(int argc, const char **argv, const char **envp)
{
  char v4; // [esp+12h] [ebp-2Eh]
  char v5; // [esp+13h] [ebp-2Dh]
  char v6; // [esp+14h] [ebp-2Ch]
  char v7; // [esp+15h] [ebp-2Bh]
  char v8; // [esp+16h] [ebp-2Ah]
  char v9; // [esp+17h] [ebp-29h]
  char v10; // [esp+18h] [ebp-28h]
  char v11; // [esp+19h] [ebp-27h]
  char v12; // [esp+1Ah] [ebp-26h]
  char v13; // [esp+1Bh] [ebp-25h]
  char v14; // [esp+1Ch] [ebp-24h]
  char v15; // [esp+1Dh] [ebp-23h]
  int v16; // [esp+1Eh] [ebp-22h]
  int v17; // [esp+22h] [ebp-1Eh]
  int v18; // [esp+26h] [ebp-1Ah]
  __int16 v19; // [esp+2Ah] [ebp-16h]
  char v20; // [esp+2Ch] [ebp-14h]
  char v21; // [esp+2Dh] [ebp-13h]
  char v22; // [esp+2Eh] [ebp-12h]
  int v23; // [esp+2Fh] [ebp-11h]
  int v24; // [esp+33h] [ebp-Dh]
  int v25; // [esp+37h] [ebp-9h]
  char v26; // [esp+3Bh] [ebp-5h]
  int i; // [esp+3Ch] [ebp-4h]

  sub_401A10();
  v4 = &#39;*&#39;;
  v5 = &#39;F&#39;;
  v6 = &#39;\&#39;&#39;;
  v7 = &#39;&quot;&#39;;
  v8 = &#39;N&#39;;
  v9 = &#39;,&#39;;
  v10 = &#39;&quot;&#39;;
  v11 = &#39;(&#39;;
  v12 = &#39;I&#39;;
  v13 = &#39;?&#39;;
  v14 = &#39;+&#39;;
  v15 = &#39;@&#39;;
  printf(&quot;Please input:&quot;);
  scanf(&quot;%s&quot;, &amp;v19);
  if ( (_BYTE)v19 != &#39;A&#39; || HIBYTE(v19) != &#39;C&#39; || v20 != &#39;T&#39; || v21 != &#39;F&#39; || v22 != &#39;{&#39; || v26 != &#39;}&#39; )
    return 0;
  v16 = v23;
  v17 = v24;
  v18 = v25;
  for ( i = 0; i &lt;= 11; ++i )
  {
    if ( *(&amp;v4 + i) != byte_402000[*((char *)&amp;v16 + i) - 1] )// v4字符数组对应在byte_402000数组中下标值+1转为str即为flag
      return 0;
  }
  printf(&quot;You are correct!&quot;);
  return 0;
}</code></pre>
<p><img src="https://cdn.jsdelivr.net/gh/13slie/blog-gh/blogimg/20200511210541.png" alt=""></p>
<p>所以要求flag就要找到v4的字符在byte_402000数组中的位置下标再+1，转成字符型就可以了</p>
<p>自己写的脚本太垃圾</p>
<p>看了大佬的wp学了一手</p>
<pre><code class="python">v4 = [42,70,39,34,78,44,34,40,73,63,43,64]

model = r&quot;}|{zyxwvutsrqponmlkjihgfedcba`_^]\[ZYXWVUTSRQPONMLKJIHGFEDCBA@?&gt;=&lt;;:9876543210/.-,+*)(&quot; + chr(0x27) + r&#39;&amp;%$# !&quot;&#39;

pos = []

for i in v4:
    pos.append(model.find(chr(i))+1)
#print (pos)   
#t = [chr(x) for x in pos]
#print (t)
s = [chr(x + 1) for x in pos]
#print (s)
flag = &#39;&#39;.join(s)
print (&#39;flag{&#39;+flag+&#39;}&#39;)
#flag{U9X_1S_W6@T?}

#0x27是单引号，会引发歧义所以用十六进制转字符
#find方法直接返回位置再+1就是flag</code></pre>
<h3 id="GUET-CTF2019-re"><a href="#GUET-CTF2019-re" class="headerlink" title="[GUET-CTF2019]re"></a>[GUET-CTF2019]re</h3><p>UPX壳</p>
<p><img src="https://cdn.jsdelivr.net/gh/13slie/blog-gh/blogimg/20200512181549.png" alt=""></p>
<p>脱壳后进入IDA</p>
<pre><code class="c">__int64 sub_400E28()
{
  const char *v0; // rdi
  __int64 result; // rax
  __int64 v2; // rdx
  unsigned __int64 v3; // rt1
  __int64 v4; // [rsp+0h] [rbp-30h]
  __int64 v5; // [rsp+8h] [rbp-28h]
  __int64 v6; // [rsp+10h] [rbp-20h]
  __int64 v7; // [rsp+18h] [rbp-18h]
  unsigned __int64 v8; // [rsp+28h] [rbp-8h]

  v8 = __readfsqword(0x28u);
  v4 = 0LL;
  v5 = 0LL;
  v6 = 0LL;
  v7 = 0LL;
  sub_40F950((unsigned __int64)&quot;input your flag:&quot;);
  sub_40FA80((unsigned __int64)&quot;%s&quot;);
  if ( (unsigned int)sub_4009AE((char *)&amp;v4) )//flag处理函数
  {
    v0 = &quot;Correct!&quot;;
    sub_410350(&quot;Correct!&quot;);
  }
  else
  {
    v0 = &quot;Wrong!&quot;;
    sub_410350(&quot;Wrong!&quot;);
  }
  result = 0LL;
  v3 = __readfsqword(0x28u);
  v2 = v3 ^ v8;
  if ( v3 != v8 )
    sub_443550(v0, &amp;v4, v2);
  return result;
}</code></pre>
<p>主要函数在sub_4009AE里</p>
<pre><code class="c">_BOOL8 __fastcall sub_4009AE(char *a1)
{
  if ( 1629056 * *a1 != 166163712 )             // 166163712/1629056=102  -&gt;  &#39;f&#39;
    return 0LL;
  if ( 6771600 * a1[1] != 731332800 )
    return 0LL;
  if ( 3682944 * a1[2] != 357245568 )
    return 0LL;
  if ( 10431000 * a1[3] != 1074393000 )
    return 0LL;
  if ( 3977328 * a1[4] != 489211344 )
    return 0LL;
  if ( 5138336 * a1[5] != 518971936 )
    return 0LL;
  if ( 7532250 * a1[7] != 406741500 )
    return 0LL;
  if ( 5551632 * a1[8] != 294236496 )
    return 0LL;
  if ( 3409728 * a1[9] != 177305856 )
    return 0LL;
  if ( 13013670 * a1[10] != 650683500 )
    return 0LL;
  if ( 6088797 * a1[11] != 298351053 )
    return 0LL;
  if ( 7884663 * a1[12] != 386348487 )
    return 0LL;
  if ( 8944053 * a1[13] != 438258597 )
    return 0LL;
  if ( 5198490 * a1[14] != 249527520 )
    return 0LL;
  if ( 4544518 * a1[15] != 445362764 )
    return 0LL;
  if ( 3645600 * a1[17] != 174988800 )
    return 0LL;
  if ( 10115280 * a1[16] != 981182160 )
    return 0LL;
  if ( 9667504 * a1[18] != 493042704 )
    return 0LL;
  if ( 5364450 * a1[19] != 257493600 )
    return 0LL;
  if ( 13464540 * a1[20] != 767478780 )
    return 0LL;
  if ( 5488432 * a1[21] != 312840624 )
    return 0LL;
  if ( 14479500 * a1[22] != 1404511500 )
    return 0LL;
  if ( 6451830 * a1[23] != 316139670 )
    return 0LL;
  if ( 6252576 * a1[24] != 619005024 )
    return 0LL;
  if ( 7763364 * a1[25] != 372641472 )
    return 0LL;
  if ( 7327320 * a1[26] != 373693320 )
    return 0LL;
  if ( 8741520 * a1[27] != 498266640 )
    return 0LL;
  if ( 8871876 * a1[28] != 452465676 )
    return 0LL;
  if ( 4086720 * a1[29] != 208422720 )
    return 0LL;
  if ( 9374400 * a1[30] == 515592000 )
    return 5759124 * a1[31] == 719890500;
  return 0LL;
}</code></pre>
<p>全部求解即为flag的ASCII码值，好像少了个a1[6]</p>
<pre><code class="python">a1 = [0]*32
a1[31] = 125
a1[30] = 55
a1[29] = 51
a1[28] = 51
a1[27] = 57
a1[26] = 51
a1[25] = 48
a1[24] = 99
a1[23] = 49
a1[22] = 97
a1[21] = 57
a1[20] = 57
a1[19] = 48
a1[18] = 51
a1[16] = 97
a1[17] = 48
a1[15] = 98
a1[14] = 48
a1[13] = 49
a1[12] = 49
a1[11] = 49
a1[10] = 50
a1[9] = 52
a1[8] = 53
a1[7] = 54
a1[5] = 101
a1[4] = 123
a1[3] = 103
a1[2] = 97
a1[1] = 108
a1[0] = 102
for i in range(32):
    if i == 6:
        continue
    print(chr(a1[i]), end=&quot;&quot;)
#flag{e65421110ba03099a1c039337}</code></pre>
<p>看了题解。。。少了一个数，娘滴。</p>
<p>flag{e165421110ba03099a1c039337}</p>
<h3 id="FlareOn4-login"><a href="#FlareOn4-login" class="headerlink" title="[FlareOn4]login"></a>[FlareOn4]login</h3><pre><code class="html">&lt;!DOCTYPE Html /&gt;
&lt;html&gt;
    &lt;head&gt;
        &lt;title&gt;FLARE On 2017&lt;/title&gt;
    &lt;/head&gt;
    &lt;body&gt;
        &lt;input type=&quot;text&quot; name=&quot;flag&quot; id=&quot;flag&quot; value=&quot;Enter the flag&quot; /&gt;
        &lt;input type=&quot;button&quot; id=&quot;prompt&quot; value=&quot;Click to check the flag&quot; /&gt;
        &lt;script type=&quot;text/javascript&quot;&gt;
            document.getElementById(&quot;prompt&quot;).onclick = function () {
                var flag = document.getElementById(&quot;flag&quot;).value;
                var rotFlag = flag.replace(/[a-zA-Z]/g, function(c){return String.fromCharCode((c &lt;= &quot;Z&quot; ? 90 : 122) &gt;= (c = c.charCodeAt(0) + 13) ? c : c - 26);});//rot13加密
                //alert(rotFlag);//在此处添加一行显示加密后的字符串即为flag
                if (&quot;PyvragFvqrYbtvafNerRnfl@syner-ba.pbz&quot; == rotFlag) {
                    alert(&quot;Correct flag!&quot;);
                } else {
                    alert(&quot;Incorrect flag, rot again&quot;);
                }
            }
        &lt;/script&gt;
    &lt;/body&gt;
&lt;/html&gt;
</code></pre>
<h3 id="BJDCTF2020-easy"><a href="#BJDCTF2020-easy" class="headerlink" title="[BJDCTF2020]easy"></a>[BJDCTF2020]easy</h3><p>拖入IDA，进入主函数</p>
<pre><code class="c">int __cdecl main(int argc, const char **argv, const char **envp)
{
  time_t Time; // [esp+10h] [ebp-3F0h]
  struct tm *v5; // [esp+3FCh] [ebp-4h]

  __main();
  time(&amp;Time);
  v5 = localtime(&amp;Time);
  puts(&quot;Can you find me?\n&quot;);
  system(&quot;pause&quot;);
  return 0;
}


int __main()
{
  int result; // eax

  if ( !initialized )
  {
    initialized = 1;
    result = __do_global_ctors();
  }
  return result;
}</code></pre>
<p>emmm，啥也没有，程序显然想让我们找flag，但是进到字符窗口有没有关于flag的字符</p>
<p>发现一个没有调用的函数</p>
<p><img src="https://cdn.jsdelivr.net/gh/13slie/blog-gh/blogimg/20200513200434.png" alt=""></p>
<pre><code class="c">  int j; // [esp+114h] [ebp-34h]
  __int64 v14; // [esp+118h] [ebp-30h]
  int v15; // [esp+124h] [ebp-24h]
  int v16; // [esp+128h] [ebp-20h]
  int i; // [esp+12Ch] [ebp-1Ch]

  v3 = 2147122737;
  v4 = 140540;
  v5 = -2008399303;
  v6 = 141956;
  v7 = 139457077;
  v8 = 262023;
  v9 = -2008923597;
  v10 = 143749;
  v11 = 2118271985;
  v12 = 143868;
  for ( i = 0; i &lt;= 4; ++i )
  {
    memset(v2, 0, sizeof(v2));
    v16 = 0;
    v15 = 0;
    v0 = *(&amp;v4 + 2 * i);
    LODWORD(v14) = *(&amp;v3 + 2 * i);
    HIDWORD(v14) = v0;
    while ( SHIDWORD(v14) &gt; 0 || v14 &gt;= 0 &amp;&amp; (_DWORD)v14 )
    {
      v2[v16++] = ((SHIDWORD(v14) &gt;&gt; 31) ^ (((unsigned __int8)(SHIDWORD(v14) &gt;&gt; 31) ^ (unsigned __int8)v14)
                                          - (unsigned __int8)(SHIDWORD(v14) &gt;&gt; 31)) &amp; 1)
                - (SHIDWORD(v14) &gt;&gt; 31);
      v14 /= 2i64;
    }
    for ( j = 50; j &gt;= 0; --j )
    {
      if ( v2[j] )
      {
        if ( v2[j] == 1 )
        {
          putchar(42);
          ++v15;
        }
      }
      else
      {
        putchar(32);
        ++v15;
      }
      if ( !(v15 % 5) )
        putchar(32);
    }
    result = putchar(10);
  }
  return result;
}</code></pre>
<p>这个函数可以通过动态调试直接进入 ，我们能看到_ques()的地址是 401520</p>
<p><img src="https://cdn.jsdelivr.net/gh/13slie/blog-gh/blogimg/20200513200833.png" alt=""></p>
<p>打开OD</p>
<p><img src="https://cdn.jsdelivr.net/gh/13slie/blog-gh/blogimg/20200513201132.png" alt=""></p>
<p>将401520设为新的EIP，运行</p>
<p><img src="https://cdn.jsdelivr.net/gh/13slie/blog-gh/blogimg/20200513201553.png" alt=""></p>
<p>得到flag{HACKIT4FUN}</p>
<h1 id="DAY-6"><a href="#DAY-6" class="headerlink" title="DAY 6"></a>DAY 6</h1><h2 id="reverse-4"><a href="#reverse-4" class="headerlink" title="reverse"></a>reverse</h2><h3 id="BJDCTF2020-BJD-hamburger-competition"><a href="#BJDCTF2020-BJD-hamburger-competition" class="headerlink" title="[BJDCTF2020]BJD hamburger competition"></a>[BJDCTF2020]BJD hamburger competition</h3><p>dnspy打开Assembly-CSharp.dll文件</p>
<pre><code class="c#">using System;
using System.Security.Cryptography;
using System.Text;
using UnityEngine;

// Token: 0x02000004 RID: 4
public class ButtonSpawnFruit : MonoBehaviour
{
    // Token: 0x0600000A RID: 10 RVA: 0x00002110 File Offset: 0x00000310
    public static string Md5(string str)
    {
        byte[] bytes = Encoding.UTF8.GetBytes(str);
        byte[] array = MD5.Create().ComputeHash(bytes);
        StringBuilder stringBuilder = new StringBuilder();
        foreach (byte b in array)
        {
            stringBuilder.Append(b.ToString(&quot;X2&quot;));
        }
        return stringBuilder.ToString().Substring(0, 20);
    }

    // Token: 0x0600000B RID: 11 RVA: 0x00002170 File Offset: 0x00000370
    public static string Sha1(string str)
    {
        byte[] bytes = Encoding.UTF8.GetBytes(str);
        byte[] array = SHA1.Create().ComputeHash(bytes);
        StringBuilder stringBuilder = new StringBuilder();
        foreach (byte b in array)
        {
            stringBuilder.Append(b.ToString(&quot;X2&quot;));
        }
        return stringBuilder.ToString();
    }

    // Token: 0x0600000C RID: 12 RVA: 0x000021C8 File Offset: 0x000003C8
    public void Spawn()
    {
        FruitSpawner component = GameObject.FindWithTag(&quot;GameController&quot;).GetComponent&lt;FruitSpawner&gt;();
        if (component)
        {
            if (this.audioSources.Length != 0)
            {
                this.audioSources[Random.Range(0, this.audioSources.Length)].Play();
            }
            component.Spawn(this.toSpawn);
            string name = this.toSpawn.name;
            if (name == &quot;汉堡底&quot; &amp;&amp; Init.spawnCount == 0)
            {
                Init.secret += 997;
            }
            else if (name == &quot;鸭屁股&quot;)
            {
                Init.secret -= 127;
            }
            else if (name == &quot;胡罗贝&quot;)
            {
                Init.secret *= 3;
            }
            else if (name == &quot;臭豆腐&quot;)
            {
                Init.secret ^= 18;
            }
            else if (name == &quot;俘虏&quot;)
            {
                Init.secret += 29;
            }
            else if (name == &quot;白拆&quot;)
            {
                Init.secret -= 47;
            }
            else if (name == &quot;美汁汁&quot;)
            {
                Init.secret *= 5;
            }
            else if (name == &quot;柠檬&quot;)
            {
                Init.secret ^= 87;
            }
            else if (name == &quot;汉堡顶&quot; &amp;&amp; Init.spawnCount == 5)
            {
                Init.secret ^= 127;
                string str = Init.secret.ToString();
                if (ButtonSpawnFruit.Sha1(str) == &quot;DD01903921EA24941C26A48F2CEC24E0BB0E8CC7&quot;)//关键
                {
                    this.result = &quot;BJDCTF{&quot; + ButtonSpawnFruit.Md5(str) + &quot;}&quot;;
                    Debug.Log(this.result);
                }
            }
            Init.spawnCount++;
            Debug.Log(Init.secret);
            Debug.Log(Init.spawnCount);
        }
    }

    // Token: 0x04000005 RID: 5
    public GameObject toSpawn;

    // Token: 0x04000006 RID: 6
    public int spawnCount = 1;

    // Token: 0x04000007 RID: 7
    public AudioSource[] audioSources;

    // Token: 0x04000008 RID: 8
    public string result = &quot;&quot;;
}
</code></pre>
<p>flag就是把DD01903921EA24941C26A48F2CEC24E0BB0E8CC7进行一次sha1加密再MD5加密stringBuilder.ToString().Substring(0, 20);//取前20位字符</p>
<p>sha1解密后是  1001</p>
<p>MD5加密  b8c37e33defde51cf91e1e03e51657da</p>
<p>取前20位</p>
<p>flag{b8c37e33defde51cf91e}</p>
<p>交上去不对。。。发现是大写</p>
<p>flag{B8C37E33DEFDE51CF91E}</p>
<h3 id="ACTF新生赛2020-usualCrypt"><a href="#ACTF新生赛2020-usualCrypt" class="headerlink" title="[ACTF新生赛2020]usualCrypt"></a>[ACTF新生赛2020]usualCrypt</h3><p>进入主函数</p>
<pre><code class="c">int __cdecl main(int argc, const char **argv, const char **envp)
{
  int v3; // esi
  int result; // eax
  int v5; // [esp+8h] [ebp-74h]
  int v6; // [esp+Ch] [ebp-70h]
  int v7; // [esp+10h] [ebp-6Ch]
  __int16 v8; // [esp+14h] [ebp-68h]
  char v9; // [esp+16h] [ebp-66h]
  char v10; // [esp+18h] [ebp-64h]

  sub_403CF8((int)&amp;unk_40E140);
  scanf(aS, &amp;v10);
  v5 = 0;
  v6 = 0;
  v7 = 0;
  v8 = 0;
  v9 = 0;
  sub_401080((int)&amp;v10, strlen(&amp;v10), (int)&amp;v5);// 换表 base64 大小写互换
  v3 = 0;
  while ( *((_BYTE *)&amp;v5 + v3) == byte_40E0E4[v3] )// zMXHz3TIgnxLxJhFAdtZn2fFk3lYCrtPC2l9
  {
    if ( ++v3 &gt; strlen((const char *)&amp;v5) )
      goto LABEL_6;
  }
  sub_403CF8((int)aError);
LABEL_6:
  if ( v3 - 1 == strlen(byte_40E0E4) )
    result = sub_403CF8((int)aAreYouHappyYes);
  else
    result = sub_403CF8((int)aAreYouHappyNo);
  return result;
}</code></pre>
<p>主要逻辑在sub_401080里，进入这个函数</p>
<pre><code class="c">int __cdecl sub_401080(int a1, int a2, int a3)
{
  int v3; // edi
  int v4; // esi
  int v5; // edx
  int v6; // eax
  int v7; // ecx
  int v8; // esi
  int v9; // esi
  int v10; // esi
  int v11; // esi
  _BYTE *v12; // ecx
  int v13; // esi
  int v15; // [esp+18h] [ebp+8h]

  v3 = 0;
  v4 = 0;
  sub_401000();                                 // 换表
  v5 = a2 % 3;                                  // base64加密,熟悉base64的加密原理分成4组并且有base64表
  v6 = a1;                                      // 很容易看出是base64,但是sub_401000对加密表进行了处理
  v7 = a2 - a2 % 3;                             // 所以直接base64解密是不对的
  v15 = a2 % 3;
  if ( v7 &gt; 0 )
  {
    do
    {
      LOBYTE(v5) = *(_BYTE *)(a1 + v3);
      v3 += 3;
      v8 = v4 + 1;
      *(_BYTE *)(v8++ + a3 - 1) = byte_40E0A0[(v5 &gt;&gt; 2) &amp; 63];
      *(_BYTE *)(v8++ + a3 - 1) = byte_40E0A0[16 * (*(_BYTE *)(a1 + v3 - 3) &amp; 3)
                                            + (((signed int)*(unsigned __int8 *)(a1 + v3 - 2) &gt;&gt; 4) &amp; 15)];
      *(_BYTE *)(v8 + a3 - 1) = byte_40E0A0[4 * (*(_BYTE *)(a1 + v3 - 2) &amp; 15)
                                          + (((signed int)*(unsigned __int8 *)(a1 + v3 - 1) &gt;&gt; 6) &amp; 3)];
      v5 = *(_BYTE *)(a1 + v3 - 1) &amp; 63;
      v4 = v8 + 1;
      *(_BYTE *)(v4 + a3 - 1) = byte_40E0A0[v5];
    }
    while ( v3 &lt; v7 );
    v5 = v15;
  }
  if ( v5 == 1 )
  {
    LOBYTE(v7) = *(_BYTE *)(v3 + a1);
    v9 = v4 + 1;
    *(_BYTE *)(v9 + a3 - 1) = byte_40E0A0[(v7 &gt;&gt; 2) &amp; 63];
    v10 = v9 + 1;
    *(_BYTE *)(v10 + a3 - 1) = byte_40E0A0[16 * (*(_BYTE *)(v3 + a1) &amp; 3)];
    *(_BYTE *)(v10 + a3) = 61;
LABEL_8:
    v13 = v10 + 1;
    *(_BYTE *)(v13 + a3) = 61;
    v4 = v13 + 1;
    goto LABEL_9;
  }
  if ( v5 == 2 )
  {
    v11 = v4 + 1;
    *(_BYTE *)(v11 + a3 - 1) = byte_40E0A0[((signed int)*(unsigned __int8 *)(v3 + a1) &gt;&gt; 2) &amp; 0x3F];
    v12 = (_BYTE *)(v3 + a1 + 1);
    LOBYTE(v6) = *v12;
    v10 = v11 + 1;
    *(_BYTE *)(v10 + a3 - 1) = byte_40E0A0[16 * (*(_BYTE *)(v3 + a1) &amp; 3) + ((v6 &gt;&gt; 4) &amp; 0xF)];
    *(_BYTE *)(v10 + a3) = byte_40E0A0[4 * (*v12 &amp; 0xF)];
    goto LABEL_8;
  }
LABEL_9:
  *(_BYTE *)(v4 + a3) = 0;
  return sub_401030((const char *)a3);          // 大小写互换
}</code></pre>
<p>跟进换表的函数sub_401000</p>
<pre><code class="c">signed int sub_401000()
{
  signed int result; // eax
  char v1; // cl

  result = 6;
  do
  {
    v1 = byte_40E0AA[result];                   // 换表操作
    byte_40E0AA[result] = byte_40E0A0[result];
    byte_40E0A0[result++] = v1;
  }
  while ( result &lt; 15 );                        // 实际上就是base64表中的G-O和Q-Y互换位置
  return result;                                // 换完的表应该是这样的
}                                              
// ABCDEFQRSTUVWXYPGHIJKLMNOZabcdefghijklmnopqrstuvwxyz0123456789+/</code></pre>
<p>有学了手大佬的脚本，写好python脚本好难啊，自己写的怎么就那么垃圾(ノへ￣、)</p>
<pre><code class="python">import base64

Label = list(&quot;ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/&quot;)
model = &quot;ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/&quot;
for i in range(6,15):
    Label[i],Label[i+10] = Label[i+10],Label[i]
Label = &#39;&#39;.join(Label)
enc = &quot;zMXHz3TIgnxLxJhFAdtZn2fFk3lYCrtPC2l9&quot;.swapcase()
dec = &quot;&quot;
for i in range(len(enc)):
    dec += model[Label.find(enc[i])]
print (dec)
print (Label)
print (base64.b64decode(dec))
# ZmxhZ3tiQXNlNjRfaDJzX2FfU3VycHJpc2V9
# ABCDEFQRSTUVWXYPGHIJKLMNOZabcdefghijklmnopqrstuvwxyz0123456789+/
# b&#39;flag{bAse64_h2s_a_Surprise}&#39;</code></pre>
<h3 id="GWCTF-2019-xxor"><a href="#GWCTF-2019-xxor" class="headerlink" title="[GWCTF 2019]xxor"></a>[GWCTF 2019]xxor</h3><p>进入主函数</p>
<pre><code class="c">__int64 __fastcall main(__int64 a1, char **a2, char **a3)
{
  signed int i; // [rsp+8h] [rbp-68h]
  signed int j; // [rsp+Ch] [rbp-64h]
  __int64 v6; // [rsp+10h] [rbp-60h]
  __int64 v7; // [rsp+18h] [rbp-58h]
  __int64 v8; // [rsp+20h] [rbp-50h]
  __int64 v9; // [rsp+28h] [rbp-48h]
  __int64 v10; // [rsp+30h] [rbp-40h]
  __int64 v11; // [rsp+40h] [rbp-30h]
  __int64 v12; // [rsp+48h] [rbp-28h]
  __int64 v13; // [rsp+50h] [rbp-20h]
  __int64 v14; // [rsp+58h] [rbp-18h]
  __int64 v15; // [rsp+60h] [rbp-10h]
  unsigned __int64 v16; // [rsp+68h] [rbp-8h]

  v16 = __readfsqword(0x28u);
  puts(&quot;Let us play a game?&quot;);
  puts(&quot;you have six chances to input&quot;);
  puts(&quot;Come on!&quot;);
  v6 = 0LL;
  v7 = 0LL;
  v8 = 0LL;
  v9 = 0LL;
  v10 = 0LL;
  for ( i = 0; i &lt;= 5; ++i )
  {
    printf(&quot;%s&quot;, &quot;input: &quot;, (unsigned int)i);
    __isoc99_scanf(&quot;%d&quot;, (char *)&amp;v6 + 4 * i);
  }
  v11 = 0LL;
  v12 = 0LL;
  v13 = 0LL;
  v14 = 0LL;
  v15 = 0LL;
  for ( j = 0; j &lt;= 4; j += 2 )
  {
    dword_601078 = *((_DWORD *)&amp;v6 + j);        // 0,2,4
    dword_60107C = *((_DWORD *)&amp;v6 + j + 1);    // 1,3,5
    sub_400686((unsigned int *)&amp;dword_601078, &amp;unk_601060);// xor处理函数,unk_601060={2,2,3,4}
    *((_DWORD *)&amp;v11 + j) = dword_601078;       // 0,2,4
    *((_DWORD *)&amp;v11 + j + 1) = dword_60107C;   // 1,3,5
  }
  if ( (unsigned int)sub_400770(&amp;v11) != 1 )    // 判定函数
  {
    puts(&quot;NO NO NO~ &quot;);
    exit(0);
  }
  puts(&quot;Congratulation!\n&quot;);
  puts(&quot;You seccess half\n&quot;);
  puts(&quot;Do not forget to change input to hex and combine~\n&quot;);
  puts(&quot;ByeBye&quot;);
  return 0LL;
}</code></pre>
<p>for循环中是对输入的内容异或处理，if中的判定函数是判断处理后的数组是否符合要求</p>
<p>再看看xor处理函数</p>
<pre><code class="c">__int64 __fastcall sub_400686(unsigned int *a1, _DWORD *a2)
{
  __int64 result; // rax
  unsigned int v3; // [rsp+1Ch] [rbp-24h]
  unsigned int v4; // [rsp+20h] [rbp-20h]
  int v5; // [rsp+24h] [rbp-1Ch]
  unsigned int i; // [rsp+28h] [rbp-18h]

  v3 = *a1;
  v4 = a1[1];
  v5 = 0;
  for ( i = 0; i &lt;= 63; ++i )                   // xor处理过程,逆向的时候反过来求解就可以了
  {
    v5 += 1166789954;                           // python的&gt;&gt;和c的&gt;&gt;意思不太一样，所以脚本用c写比较合适
    v3 += (v4 + v5 + 11) ^ ((v4 &lt;&lt; 6) + *a2) ^ ((v4 &gt;&gt; 9) + a2[1]) ^ 32;
    v4 += (v3 + v5 + 20) ^ ((v3 &lt;&lt; 6) + a2[2]) ^ ((v3 &gt;&gt; 9) + a2[3]) ^ 16;
  }
  *a1 = v3;
  result = v4;
  a1[1] = v4;
  return result;
}</code></pre>
<p>然后是if里的判定函数</p>
<pre><code class="c">signed __int64 __fastcall sub_400770(_DWORD *a1)
{
  signed __int64 result; // rax

  if ( a1[2] - a1[3] != 2225223423LL || a1[3] + a1[4] != 4201428739LL || a1[2] - a1[4] != 1121399208LL )
  {
    puts(&quot;Wrong!&quot;);
    result = 0LL;
  }
  else if ( *a1 != -548868226 || a1[5] != -2064448480 || a1[1] != 550153460 )
  {
    puts(&quot;Wrong!&quot;);
    result = 0LL;
  }
  else
  {
    puts(&quot;good!&quot;);
    result = 1LL;
  }
  return result;
}</code></pre>
<p>从这个函数中可以得知几个式子</p>
<pre><code class="c">a1[2] - a1[3] == 2225223423
a1[3] + a1[4] == 4201428739
a1[2] - a1[4] == 1121399208
a1[0] == 0xDF48EF7E
a1[1] == 550153460
a1[5] == 0x84F30420</code></pre>
<p>其实前三个式子是个三元一次方程组，求解即可得到a1数组</p>
<p>python中的z3模块可以快速的求解方程组，但自己捣鼓半天没安装好，手算吧。。。tcl</p>
<pre><code class="c">a4 = 2652626477
a2 = 3774025685
a3 = 1548802262</code></pre>
<p>然后就是脚本了</p>
<pre><code class="c++">#include &lt;iostream&gt;

#pragma warning(disable:4996)
using namespace std;

int main()
{
    __int64 a[6] = { 3746099070, 550153460, 3774025685, 1548802262, 2652626477, 2230518816 };
    //算出来的a1数组
    unsigned int a2[4] = { 2,2,3,4 };//unk_601060
    unsigned int v3, v4;
    int v5;
    for (int j = 0; j &lt;= 4; j += 2) {
        v3 = a[j];
        v4 = a[j + 1];
        v5 = 1166789954*0x40;
        for (int i = 0; i &lt;= 0x3F; ++i) {
            v4 -= (v3 + v5 + 20) ^ ((v3 &lt;&lt; 6) + a2[2]) ^ ((v3 &gt;&gt; 9) + a2[3]) ^ 0x10;
            v3 -= (v4 + v5 + 11) ^ ((v4 &lt;&lt; 6) + *a2) ^ ((v4 &gt;&gt; 9) + a2[1]) ^ 0x20;
            v5 -= 1166789954;
        }
        a[j] = v3;
        a[j + 1] = v4;
    }

    /*将整型数组作为字符输出，注意计算机小端排序*/
    for (int i = 0; i &lt; 6; ++i) {
        cout &lt;&lt; *((char*)&amp;a[i] + 2) &lt;&lt; *((char*)&amp;a[i] + 1) &lt;&lt;  * ((char*)&amp;a[i]);
    }

    system(&quot;PAUSE&quot;);
    return 0;
}
//flag{re_is_great!}</code></pre>
<h3 id="GXYCTF2019-simple-CPP"><a href="#GXYCTF2019-simple-CPP" class="headerlink" title="[GXYCTF2019]simple CPP"></a>[GXYCTF2019]simple CPP</h3><p>进入主函数，发现有好多类似方程的语句。。又要用z3解。网上找了好多安装教程，都不太管用，win和linux都试了试，主要都想着pip下载，但是都没啥用，最后找到了一篇比较靠谱的博客才装上，_花了整整三天。。。_和当时安gmpy2有的一拼，但是安装很快，配置一下环境变量就好了，直接放一下找到的<a href="https://www.jianshu.com/p/f77331e406ac" target="_blank" rel="noopener">教程</a>吧。这个教程的win版的我安装成功了，linux自己找不到kali的py包装在哪里了，就没装上，但是win直接vscode就很香，不需要再开虚拟机了。</p>
<p>下面进入正题，主要逻辑如下</p>
<pre><code class="c">__int64 sub_140001290()
{
  bool v0; // si
  __int64 v1; // rax
  __int64 v2; // r8
  unsigned __int8 *v3; // rax
  unsigned __int8 *v4; // rbx
  int v5; // er10
  __int64 v6; // r11
  _BYTE *v7; // r9
  void **v8; // r8
  __int64 v9; // rdi
  __int64 v10; // r15
  __int64 v11; // r12
  __int64 v12; // rbp
  signed int v13; // ecx
  unsigned __int8 *v14; // rdx
  __int64 v15; // rdi
  __int64 *v16; // r14
  __int64 v17; // rbp
  __int64 v18; // r13
  _QWORD *v19; // rdi
  __int64 v20; // r12
  __int64 v21; // r15
  __int64 v22; // rbp
  __int64 v23; // rdx
  __int64 v24; // rbp
  __int64 v25; // rbp
  __int64 v26; // r10
  __int64 v27; // rdi
  __int64 v28; // r8
  bool v29; // dl
  _QWORD *v30; // rax
  void *v31; // rdx
  _QWORD *v32; // rax
  __int64 v33; // rax
  _BYTE *v34; // rcx
  __int64 v36; // [rsp+20h] [rbp-68h]
  void *Memory; // [rsp+30h] [rbp-58h]
  unsigned __int64 v38; // [rsp+40h] [rbp-48h]
  unsigned __int64 v39; // [rsp+48h] [rbp-40h]

  v0 = 0;
  v38 = 0i64;
  v39 = 15i64;
  LOBYTE(Memory) = 0;
  v1 = sub_1400019C0(std::cout, &quot;I&#39;m a first timer of Logic algebra , how about you?&quot;);
  std::basic_ostream&lt;char,std::char_traits&lt;char&gt;&gt;::operator&lt;&lt;(v1, sub_140001B90);
  sub_1400019C0(std::cout, &quot;Let&#39;s start our game,Please input your flag:&quot;);
  sub_140001DE0(std::cin, &amp;Memory, v2);
  std::basic_ostream&lt;char,std::char_traits&lt;char&gt;&gt;::operator&lt;&lt;(std::cout, sub_140001B90);
  if ( v38 - 5 &gt; 0x19 )
  {
    v33 = sub_1400019C0(std::cout, &quot;Wrong input ,no GXY{} in input words&quot;);
    std::basic_ostream&lt;char,std::char_traits&lt;char&gt;&gt;::operator&lt;&lt;(v33, sub_140001B90);
    goto LABEL_45;
  }
  v3 = (unsigned __int8 *)sub_1400024C8(0x20ui64);
  v4 = v3;
  if ( v3 )
  {
    *(_QWORD *)v3 = 0i64;
    *((_QWORD *)v3 + 1) = 0i64;
    *((_QWORD *)v3 + 2) = 0i64;
    *((_QWORD *)v3 + 3) = 0i64;
  }
  else
  {
    v4 = 0i64;
  }
  v5 = 0;
  if ( v38 &gt; 0 )
  {
    v6 = 0i64;
    do
    {
      v7 = &amp;Memory;
      if ( v39 &gt;= 16 )
        v7 = Memory;
      v8 = &amp;Dst;
      if ( (unsigned __int64)qword_140006060 &gt;= 16 )
        v8 = (void **)Dst;                      // i_will_check_is_debug_or_not
      v4[v6] = v7[v6] ^ *((_BYTE *)v8 + v5++ % 27);
      ++v6;
    }
    while ( v5 &lt; v38 );
  }
  v9 = 0i64;
  v10 = 0i64;
  v11 = 0i64;
  v12 = 0i64;
  if ( (signed int)v38 &gt; 30 )
    goto LABEL_28;
  v13 = 0;
  if ( (signed int)v38 &lt;= 0 )
    goto LABEL_28;
  v14 = v4;
  do
  {
    v15 = *v14 + v9;
    ++v13;
    ++v14;
    switch ( v13 )
    {
      case 8:
        v12 = v15;
        goto LABEL_24;
      case 16:
        v11 = v15;
        goto LABEL_24;
      case 24:
        v10 = v15;
LABEL_24:
        v15 = 0i64;
        break;
      case 32:
        sub_1400019C0(std::cout, &quot;ERRO,out of range&quot;);
        exit(1);
        break;
    }
    v9 = v15 &lt;&lt; 8;
  }
  while ( v13 &lt; (signed int)v38 );
  if ( v12 )
  {
    v16 = (__int64 *)sub_1400024C8(0x20ui64);
    *v16 = v12;
    v16[1] = v11;
    v16[2] = v10;
    v16[3] = v9;
    goto LABEL_29;
  }
LABEL_28:
  v16 = 0i64;
LABEL_29:
  v36 = v16[2];
  v17 = v16[1];
  v18 = *v16;
  v19 = sub_14000223C(0x20ui64);
  if ( IsDebuggerPresent() )
  {
    sub_1400019C0(std::cout, &quot;Hi , DO not debug me !&quot;);
    Sleep(0x7D0u);
    exit(0);
  }
  v20 = v17 &amp; v18;
  *v19 = v17 &amp; v18;                             // v20 = v16[1] &amp; v16[0]
  v21 = v36 &amp; ~v18;
  v19[1] = v21;                                 // v21 = v16[2] &amp; ~v16[0] 
  v22 = ~v17;                                   // v22 = ~v16[1]
  v23 = v36 &amp; v22;
  v19[2] = v36 &amp; v22;                           // v23 = v16[2] &amp; ~v16[1]
  v24 = v18 &amp; v22;                              // v24 = v16[0] &amp; ~v16[1]
  v19[3] = v24;
  if ( v21 != 1176889593874i64 )                // v21 = 1176889593874
  {
    v19[1] = 0i64;
    v21 = 0i64;
  }
  v25 = v21 | v20 | v23 | v24;                  // v25 = (v16[2] &amp; ~v16[0])|(v16[1] &amp; v16[0])|(v16[2] &amp; ~v16[1])|(v16[0] &amp; ~v16[1])
  v26 = v16[1];
  v27 = v16[2];
  v28 = v23 &amp; *v16 | v27 &amp; (v20 | v26 &amp; ~*v16 | ~(v26 | *v16));// (v16[2] &amp; ~v16[1])&amp;v16[0]|v16[2]&amp;((v16[1] &amp; v16[0])|v16[1]&amp;~v16[0]|~(v16[1]|v16[0]))
  v29 = 0;
  if ( v28 == 577031497978884115i64 )
    v29 = v25 == 4483974544037412639i64;
  if ( (v25 ^ v16[3]) == 4483974543195470111i64 )
    v0 = v29;
  if ( (v21 | v20 | v26 &amp; v27) != (~*v16 &amp; v27 | 864693332579200012i64) || v0 != 1 )
  {
    sub_1400019C0(std::cout, &quot;Wrong answer!try again&quot;);
    j_j_free(v4);
  }
  else
  {
    v30 = (_QWORD *)sub_1400019C0(std::cout, &quot;Congratulations!flag is GXY{&quot;);
    v31 = &amp;Memory;
    if ( v39 &gt;= 0x10 )
      v31 = Memory;
    v32 = sub_140001FD0(v30, (__int64)v31, v38);
    sub_1400019C0(v32, &quot;}&quot;);
    j_j_free(v4);
  }
LABEL_45:
  if ( v39 &gt;= 0x10 )
  {
    v34 = Memory;
    if ( v39 + 1 &gt;= 0x1000 )
    {
      v34 = (_BYTE *)*((_QWORD *)Memory - 1);
      if ( (unsigned __int64)((_BYTE *)Memory - v34 - 8) &gt; 31 )
        invalid_parameter_noinfo_noreturn();
    }
    j_j_free(v34);
  }
  return 0i64;
}</code></pre>
<p>方程的逻辑整理后，用z3脚本如下</p>
<pre><code class="python">from z3 import *

x0,x1,x2,x3=BitVecs(&#39;x0 x1 x2 x3&#39;,64)
f=Solver()   #添加求解器

f.add(((x2&amp;~x1)&amp;x0|x2&amp;((x1&amp;x0)|x1&amp;~x0|~(x1|x0)))==577031497978884115)
f.add((4483974544037412639^x3)==4483974543195470111)
f.add(x2&amp;~x0==1176889593874)
f.add((x2&amp;~x0|x1&amp;x0|x2&amp;~x1|x0&amp;~x1)==4483974544037412639)

if f.check() == sat:
    print (f.model())
#[ x3 = 842073600,
#  x1 = 1301610661054254600,
#  x0 = 4483973367147818765,
#  x2 = 577031497978884115 ]</code></pre>
<p>然后我们得到了原v16数组</p>
<pre><code class="c">do
    {
      v7 = &amp;Memory;
      if ( v39 &gt;= 16 )
        v7 = Memory;
      v8 = &amp;Dst;
      if ( (unsigned __int64)qword_140006060 &gt;= 16 )
        v8 = (void **)Dst;                      // i_will_check_is_debug_or_not
      v4[v6] = v7[v6] ^ *((_BYTE *)v8 + v5++ % 27);
      ++v6;
    }
    while ( v5 &lt; v38 );</code></pre>
<p>这一段是Dst数组与Memory进行异或，Memory里就是求得的数</p>
<pre><code class="python">Dst = &#39;i_will_check_is_debug_or_not&#39;
flag = [0x3e,0x3a,0x46,0x05,0x33,0x28,0x6f,0x0d,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x08,0x2,0x07,0x17,0x15,0x3e,0x30,0x13,0x32,0x31,0x06,0x00,0x00]
for i in range(27):
    print(chr(ord(Dst[i%27]) ^ flag[i]),end=&#39;&#39;)
# We1l_D0n^]#k}i&lt;Wlgebra_am_i</code></pre>
<p>可以看到有8个字符是乱码的，看了大佬们的WP发现题目有点问题，比赛的时候放的hint直接给出了那8位乱码</p>
<blockquote>
<p>e!P0or_a</p>
</blockquote>
<p>所以flag为flag{We1l_D0ne!P0or_algebra_am_i}</p>
<h1 id=""><a href="#" class="headerlink" title=""></a></h1>
            <!--[if lt IE 9]><script>document.createElement('audio');</script><![endif]-->
            <audio id="audio" loop="1" preload="auto" controls="controls"
                data-autoplay="false">
                <source type="audio/mpeg" src="">
            </audio>
            
            <ul id="audio-list" style="display:none">
                
                
                <li title='0' data-url='/statics/i saw you in a dream.mp3'></li>
                
                    
            </ul>
            
            
            
            <div id="vcomments"></div>
            
        </div>
        <div class="sidebar">
            <div class="box animated fadeInRight">
                <div class="subbox">
                    <img src="/img/avatar.jpg" height=300 width=300></img>
                    <p>L3SLIE</p>
                    <span>Life Long & Pwn</span>
                    <dl>
                        <dd><a href="https://github.com/13slie" target="_blank"><span
                                    class=" iconfont icon-github"></span></a></dd>
                        <dd><a href="" target="_blank"><span
                                    class=" iconfont icon-twitter"></span></a></dd>
                        <dd><a href="https://stackexchange.com/users/17805607/l3slie" target="_blank"><span
                                    class=" iconfont icon-stack-overflow"></span></a></dd>
                    </dl>
                </div>
                <ul>
                    <li><a href="/">46 <p>Articles</p></a></li>
                    <li><a href="/categories">13 <p>Categories</p></a></li>
                    <li><a href="/tags">20 <p>Tags</p></a></li>
                    <br><span><b><p>友链博客</p></b></span><br>
                    <span><u><p><a href="http://rdd.xjusec.club/" target="_blank">Rdd</a></p></u></span>
                    <span><u><p><a href="http://www.xjusec.club/" target="_blank">XJUSEC</a></p></u></span>
                    <span><u><p><a href="http://www.r1ght0us.xyz/" target="_blank">r1ght0us</a></p></u></span>
                </ul>
            </div>
            
            
            
            <div class="box sticky animated fadeInRight faster">
                <div id="toc" class="subbox">
                    <h4>Contents</h4>
                    <ol class="toc"><li class="toc-item toc-level-1"><a class="toc-link" href="#DAY-1"><span class="toc-number">1.</span> <span class="toc-text">DAY  1</span></a><ol class="toc-child"><li class="toc-item toc-level-2"><a class="toc-link" href="#crypto"><span class="toc-number">1.1.</span> <span class="toc-text">crypto</span></a><ol class="toc-child"><li class="toc-item toc-level-3"><a class="toc-link" href="#传统知识-古典密码"><span class="toc-number">1.1.1.</span> <span class="toc-text">传统知识+古典密码</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#Windows系统密码"><span class="toc-number">1.1.2.</span> <span class="toc-text">Windows系统密码</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#RSA1"><span class="toc-number">1.1.3.</span> <span class="toc-text">RSA1</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#RSA2"><span class="toc-number">1.1.4.</span> <span class="toc-text">RSA2</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#RSA3"><span class="toc-number">1.1.5.</span> <span class="toc-text">RSA3</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#信息化时代的步伐"><span class="toc-number">1.1.6.</span> <span class="toc-text">信息化时代的步伐</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#old-fashion"><span class="toc-number">1.1.7.</span> <span class="toc-text">old-fashion</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#萌萌哒八戒"><span class="toc-number">1.1.8.</span> <span class="toc-text">萌萌哒八戒</span></a></li></ol></li><li class="toc-item toc-level-2"><a class="toc-link" href="#reverse"><span class="toc-number">1.2.</span> <span class="toc-text">reverse</span></a><ol class="toc-child"><li class="toc-item toc-level-3"><a class="toc-link" href="#SimpleRev"><span class="toc-number">1.2.1.</span> <span class="toc-text">SimpleRev</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#CrackRTF"><span class="toc-number">1.2.2.</span> <span class="toc-text">CrackRTF</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#简单注册机"><span class="toc-number">1.2.3.</span> <span class="toc-text">简单注册机</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#8086"><span class="toc-number">1.2.4.</span> <span class="toc-text">8086</span></a></li></ol></li><li class="toc-item toc-level-2"><a class="toc-link" href="#misc"><span class="toc-number">1.3.</span> <span class="toc-text">misc</span></a><ol class="toc-child"><li class="toc-item toc-level-3"><a class="toc-link" href="#最简单的misc"><span class="toc-number">1.3.1.</span> <span class="toc-text">最简单的misc</span></a></li></ol></li></ol></li><li class="toc-item toc-level-1"><a class="toc-link" href="#DAY-2"><span class="toc-number">2.</span> <span class="toc-text">DAY 2</span></a><ol class="toc-child"><li class="toc-item toc-level-2"><a class="toc-link" href="#reverse-1"><span class="toc-number">2.1.</span> <span class="toc-text">reverse</span></a><ol class="toc-child"><li class="toc-item toc-level-3"><a class="toc-link" href="#luck-guy"><span class="toc-number">2.1.1.</span> <span class="toc-text">luck_guy</span></a></li></ol></li><li class="toc-item toc-level-2"><a class="toc-link" href="#crypto-1"><span class="toc-number">2.2.</span> <span class="toc-text">crypto</span></a><ol class="toc-child"><li class="toc-item toc-level-3"><a class="toc-link" href="#cat-flag"><span class="toc-number">2.2.1.</span> <span class="toc-text">cat_flag</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#灵能精通"><span class="toc-number">2.2.2.</span> <span class="toc-text">灵能精通</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#燕言燕语"><span class="toc-number">2.2.3.</span> <span class="toc-text">燕言燕语</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#Y1nglish"><span class="toc-number">2.2.4.</span> <span class="toc-text">Y1nglish</span></a></li></ol></li></ol></li><li class="toc-item toc-level-1"><a class="toc-link" href="#DAY-3"><span class="toc-number">3.</span> <span class="toc-text">DAY 3</span></a><ol class="toc-child"><li class="toc-item toc-level-2"><a class="toc-link" href="#reverse-2"><span class="toc-number">3.1.</span> <span class="toc-text">reverse</span></a><ol class="toc-child"><li class="toc-item toc-level-3"><a class="toc-link" href="#Youngter-drive"><span class="toc-number">3.1.1.</span> <span class="toc-text">Youngter-drive</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#相册"><span class="toc-number">3.1.2.</span> <span class="toc-text">相册</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#GWCTF-2019-pyre"><span class="toc-number">3.1.3.</span> <span class="toc-text">[GWCTF 2019]pyre</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#SUCTF2019-SignIn"><span class="toc-number">3.1.4.</span> <span class="toc-text">[SUCTF2019]SignIn</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#2019红帽杯-easyRE"><span class="toc-number">3.1.5.</span> <span class="toc-text">[2019红帽杯]easyRE</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#BJDCTF2020-JustRE"><span class="toc-number">3.1.6.</span> <span class="toc-text">[BJDCTF2020]JustRE</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#crackMe"><span class="toc-number">3.1.7.</span> <span class="toc-text">crackMe</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#CSRe"><span class="toc-number">3.1.8.</span> <span class="toc-text">CSRe</span></a></li></ol></li></ol></li><li class="toc-item toc-level-1"><a class="toc-link" href="#DAY-4"><span class="toc-number">4.</span> <span class="toc-text">DAY 4</span></a></li><li class="toc-item toc-level-1"><a class="toc-link" href="#DAY-5"><span class="toc-number">5.</span> <span class="toc-text">DAY 5</span></a><ol class="toc-child"><li class="toc-item toc-level-2"><a class="toc-link" href="#reverse-3"><span class="toc-number">5.1.</span> <span class="toc-text">reverse</span></a><ol class="toc-child"><li class="toc-item toc-level-3"><a class="toc-link" href="#ACTF新生赛2020-easyre"><span class="toc-number">5.1.1.</span> <span class="toc-text">[ACTF新生赛2020]easyre</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#GUET-CTF2019-re"><span class="toc-number">5.1.2.</span> <span class="toc-text">[GUET-CTF2019]re</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#FlareOn4-login"><span class="toc-number">5.1.3.</span> <span class="toc-text">[FlareOn4]login</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#BJDCTF2020-easy"><span class="toc-number">5.1.4.</span> <span class="toc-text">[BJDCTF2020]easy</span></a></li></ol></li></ol></li><li class="toc-item toc-level-1"><a class="toc-link" href="#DAY-6"><span class="toc-number">6.</span> <span class="toc-text">DAY 6</span></a><ol class="toc-child"><li class="toc-item toc-level-2"><a class="toc-link" href="#reverse-4"><span class="toc-number">6.1.</span> <span class="toc-text">reverse</span></a><ol class="toc-child"><li class="toc-item toc-level-3"><a class="toc-link" href="#BJDCTF2020-BJD-hamburger-competition"><span class="toc-number">6.1.1.</span> <span class="toc-text">[BJDCTF2020]BJD hamburger competition</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#ACTF新生赛2020-usualCrypt"><span class="toc-number">6.1.2.</span> <span class="toc-text">[ACTF新生赛2020]usualCrypt</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#GWCTF-2019-xxor"><span class="toc-number">6.1.3.</span> <span class="toc-text">[GWCTF 2019]xxor</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#GXYCTF2019-simple-CPP"><span class="toc-number">6.1.4.</span> <span class="toc-text">[GXYCTF2019]simple CPP</span></a></li></ol></li></ol></li><li class="toc-item toc-level-1"><a class="toc-link" href="#null"><span class="toc-number">7.</span> <span class="toc-text"></span></a></li></ol>
                </div>
            </div>
            
            
        </div>
    </div>
</div>

    </div>
</div>
    <div id="back-to-top" class="animated fadeIn faster">
        <div class="flow"></div>
        <span class="percentage animated fadeIn faster">0%</span>
        <span class="iconfont icon-top02 animated fadeIn faster"></span>
    </div>
</body>
<footer>
    <p class="copyright" id="copyright">
		<span id="timeDate">载入天数...</span><span id="times">载入时分秒...</span>
		<script>
		var now = new Date(); 
		function createtime() { 
			var grt= new Date("01/10/2020 00:00:00");//在此处修改你的建站时间
			now.setTime(now.getTime()+250); 
			days = (now - grt ) / 1000 / 60 / 60 / 24; dnum = Math.floor(days); 
			hours = (now - grt ) / 1000 / 60 / 60 - (24 * dnum); hnum = Math.floor(hours); 
			if(String(hnum).length ==1 ){hnum = "0" + hnum;} minutes = (now - grt ) / 1000 /60 - (24 * 60 * dnum) - (60 * hnum); 
			mnum = Math.floor(minutes); if(String(mnum).length ==1 ){mnum = "0" + mnum;} 
			seconds = (now - grt ) / 1000 - (24 * 60 * 60 * dnum) - (60 * 60 * hnum) - (60 * mnum); 
			snum = Math.round(seconds); if(String(snum).length ==1 ){snum = "0" + snum;} 
			document.getElementById("timeDate").innerHTML = "本站已安全运行 "+dnum+" 天 "; 
			document.getElementById("times").innerHTML = hnum + " 小时 " + mnum + " 分 " + snum + " 秒"; 
		} 
		setInterval("createtime()",250);
		</script>
        &copy; 2020
        <span class="gradient-text">
            L3SLIE
        </span>❤
        Powered by <a href="http://hexo.io/" title="Hexo" target="_blank" rel="noopener">Hexo</a>
        Theme
        <span class="gradient-text">
            <a href="https://github.com/TriDiamond/hexo-theme-obsidian" title="Obsidian" target="_blank" rel="noopener">Obsidian</a>
        </span>
        <small><a href="https://github.com/TriDiamond/hexo-theme-obsidian/blob/master/CHANGELOG.md" title="v1.4.3" target="_blank" rel="noopener">v1.4.3</a></small>
    </p>
</footer>

<script type="text/javascript" src="https://cdn.bootcss.com/mathjax/2.7.6/MathJax.js?config=TeX-AMS-MML_HTMLorMML">
</script>
<script>
  MathJax.Hub.Config({
    "HTML-CSS": {
      preferredFont: "TeX",
      availableFonts: ["STIX", "TeX"],
      linebreaks: {
        automatic: true
      },
      EqnChunk: (MathJax.Hub.Browser.isMobile ? 10 : 50)
    },
    tex2jax: {
      inlineMath: [
        ["$", "$"],
        ["\\(", "\\)"]
      ],
      processEscapes: true,
      ignoreClass: "tex2jax_ignore|dno",
      skipTags: ['script', 'noscript', 'style', 'textarea', 'pre', 'code']
    },
    TeX: {
      noUndefined: {
        attributes: {
          mathcolor: "red",
          mathbackground: "#FFEEEE",
          mathsize: "90%"
        }
      },
      Macros: {
        href: "{}"
      }
    },
    messageStyle: "none"
  });
</script>
<script>
  function initialMathJax() {
    MathJax.Hub.Queue(function () {
      var all = MathJax.Hub.getAllJax(),
        i;
      // console.log(all);
      for (i = 0; i < all.length; i += 1) {
        console.log(all[i].SourceElement().parentNode)
        all[i].SourceElement().parentNode.className += ' has-jax';
      }
    });
  }

  function reprocessMathJax() {
    if (typeof MathJax !== 'undefined') {
      MathJax.Hub.Queue(["Typeset", MathJax.Hub]);
    }
  }
</script>




<script src="//cdnjs.cloudflare.com/ajax/libs/jquery/3.4.1/jquery.min.js"></script>
<script src="/js/plugin.js"></script>
<script src="/js/obsidian.js"></script>
<script src="/js/jquery.truncate.js"></script>
<script src="/js/search.js"></script>


<script src="//cdn.bootcss.com/typed.js/2.0.10/typed.min.js"></script>


<script src="//cdn.bootcss.com/blueimp-md5/2.12.0/js/md5.min.js"></script>


<script src="//cdnjs.cloudflare.com/ajax/libs/social-share.js/1.0.16/js/social-share.min.js"></script>


<script src="https://cdn.bootcss.com/codemirror/5.48.4/codemirror.min.js"></script>

    
<script src="//cdn.bootcss.com/codemirror/5.48.4/mode/javascript/javascript.min.js"></script>


    
<script src="//cdn.bootcss.com/codemirror/5.48.4/mode/css/css.min.js"></script>


    
<script src="//cdn.bootcss.com/codemirror/5.48.4/mode/xml/xml.min.js"></script>


    
<script src="//cdn.bootcss.com/codemirror/5.48.4/mode/htmlmixed/htmlmixed.min.js"></script>


    
<script src="//cdn.bootcss.com/codemirror/5.48.4/mode/clike/clike.min.js"></script>


    
<script src="//cdn.bootcss.com/codemirror/5.48.4/mode/php/php.min.js"></script>


    
<script src="//cdn.bootcss.com/codemirror/5.48.4/mode/shell/shell.min.js"></script>


    
<script src="//cdn.bootcss.com/codemirror/5.48.4/mode/python/python.min.js"></script>




    
<script src="/js/busuanzi.min.js"></script>

    <script>
        $(document).ready(function () {
            if ($('span[id^="busuanzi_"]').length) {
                initialBusuanzi();
            }
        });
    </script>



<link rel="stylesheet" href="//cdn.bootcss.com/photoswipe/4.1.3/photoswipe.min.css">
<link rel="stylesheet" href="//cdn.bootcss.com/photoswipe/4.1.3/default-skin/default-skin.min.css">


<script src="//cdn.bootcss.com/photoswipe/4.1.3/photoswipe.min.js"></script>
<script src="//cdn.bootcss.com/photoswipe/4.1.3/photoswipe-ui-default.min.js"></script>


<!-- Root element of PhotoSwipe. Must have class pswp. -->
<div class="pswp" tabindex="-1" role="dialog" aria-hidden="true">
    <!-- Background of PhotoSwipe. 
         It's a separate element as animating opacity is faster than rgba(). -->
    <div class="pswp__bg"></div>
    <!-- Slides wrapper with overflow:hidden. -->
    <div class="pswp__scroll-wrap">
        <!-- Container that holds slides. 
            PhotoSwipe keeps only 3 of them in the DOM to save memory.
            Don't modify these 3 pswp__item elements, data is added later on. -->
        <div class="pswp__container">
            <div class="pswp__item"></div>
            <div class="pswp__item"></div>
            <div class="pswp__item"></div>
        </div>
        <!-- Default (PhotoSwipeUI_Default) interface on top of sliding area. Can be changed. -->
        <div class="pswp__ui pswp__ui--hidden">
            <div class="pswp__top-bar">
                <!--  Controls are self-explanatory. Order can be changed. -->
                <div class="pswp__counter"></div>
                <button class="pswp__button pswp__button--close" title="Close (Esc)"></button>
                <button class="pswp__button pswp__button--share" title="Share"></button>
                <button class="pswp__button pswp__button--fs" title="Toggle fullscreen"></button>
                <button class="pswp__button pswp__button--zoom" title="Zoom in/out"></button>
                <!-- Preloader demo http://codepen.io/dimsemenov/pen/yyBWoR -->
                <!-- element will get class pswp__preloader--active when preloader is running -->
                <div class="pswp__preloader">
                    <div class="pswp__preloader__icn">
                      <div class="pswp__preloader__cut">
                        <div class="pswp__preloader__donut"></div>
                      </div>
                    </div>
                </div>
            </div>
            <div class="pswp__share-modal pswp__share-modal--hidden pswp__single-tap">
                <div class="pswp__share-tooltip"></div> 
            </div>
            <button class="pswp__button pswp__button--arrow--left" title="Previous (arrow left)">
            </button>
            <button class="pswp__button pswp__button--arrow--right" title="Next (arrow right)">
            </button>
            <div class="pswp__caption">
                <div class="pswp__caption__center"></div>
            </div>
        </div>
    </div>
</div>







<script>
    function initialTyped () {
        var typedTextEl = $('.typed-text');
        if (typedTextEl && typedTextEl.length > 0) {
            var typed = new Typed('.typed-text', {
                strings: ["Life Long &amp; Pwn", "生命不息，破解不止"],
                typeSpeed: 90,
                loop: true,
                loopCount: Infinity,
                backSpeed: 20,
            });
        }
    }

    if ($('.article-header') && $('.article-header').length) {
        $(document).ready(function () {
            initialTyped();
        });
    }
</script>


    
<script src="//unpkg.com/valine/dist/Valine.min.js"></script>

    <script>

        var valine = new Valine();

        function initValine(path) {
            if (!path) path = window.location.pathname;
            let language = '';
            if (!language) {
                language = 'en';
            } else {
                language = language.toLowerCase();
            }
            valine.init({
                el: '#vcomments',
                appId: 'GnPlbHQ9xAWEoCDC8rR3zALj-gzGzoHsz',
                appKey: 'Nygd2awSxr9ioTDtvbH6hE0l',
                notify: 'false',
                verify: 'false',
                avatar: 'mm',
                placeholder: 'feel free to comment~',
                visitor: 'true',
                path: path,
                lang: language
            });
        }

        $(document).ready(function () {
            initValine();
        });
    </script>



</html>
<!-- 页面点击小红心 -->
<script type="text/javascript" src="/js/love.js"></script>
<!-- 烟火效果 -->
<canvas class="fireworks" style="position: fixed;left: 0;top: 0;z-index: 1; pointer-events: none;" ></canvas> 
<script type="text/javascript" src="//cdn.bootcss.com/animejs/2.2.0/anime.min.js"></script> 
<script type="text/javascript" src="/js/fireworks.js"></script>
<!--自定义标题-->
<script type="text/javascript" src="\js\title.js"></script>
